Support for Kerberos Key Distribution Center Proxy (KKDCP)

Standalone Sentry provides support for Kerberos Key Distribution Center Proxy (KKDCP) protocol over HTTPS.

Note: A separate Standalone Sentry is required for Kerberos proxy. You cannot enable ActiveSync or AppTunnel on a Standalone Sentry that has Kerberos proxy enabled. Enabling Kerberos proxy, will disable the ActiveSync and AppTunnel options.

The KKDCP protocol allows a client to use the KKDCP server to securely obtain Kerberos service tickets. The device sends Kerberos messages using HTTPS to the KKDCP server, in this case, the Standalone Sentry. The Standalone Sentry locates a Key Distribution Center (KDC) and forwards the request to the KDC on behalf of the client. The KDC returns a ticket to the Sentry. The Sentry passes the ticket to the client. The ticket is stored on the client. VPN is not required in this setup.

Using Standalone Sentry as a Kerberos proxy server, you can set up single sign-on (SSO) for iOS 7 through iOS 8 devices. This setup allows Safari and managed apps that support Kerberos to securely access an internal resource using SSO when the device is outside the corporate network. The Key Distribution Center (KDC) sits inside the corporate network.

See “Adding an entry for Standalone Sentry on MobileIron Core” for information on how to configure the Standalone Sentry for KKDCP.