Overview of Standalone Sentry as a KKDCP server
Standalone Sentry provides support for Kerberos Key Distribution Center Proxy (KKDCP) protocol over HTTPS.
| NOTE: | A separate Standalone Sentry is required for Kerberos proxy. You cannot enable ActiveSync or AppTunnel on a Standalone Sentry that has Kerberos proxy enabled. Enabling Kerberos proxy, will disable the ActiveSync and AppTunnel options. |
The KKDCP protocol allows a client to use the KKDCP server to securely obtain Kerberos service tickets. The device sends Kerberos messages using HTTPS to the KKDCP server, in this case, the Standalone Sentry. The Standalone Sentry locates a Key Distribution Center (KDC) and forwards the request to the KDC on behalf of the client. The KDC returns a ticket to SentrySentry. SentrySentry passes the ticket to the client. The ticket is stored on the client. VPN is not required in this setup.
Standalone Sentry configured for KKDCP is part of a larger MobileIron deployment to set up single sign-on for iOS 7 through iOS 8 devices. This setup allows Safari and managed apps that support Kerberos to securely access an internal resource using SSO when the device is outside the corporate network. The Key Distribution Center (KDC) sits inside the corporate network.
To setup secure access to backend resources using AppTunnel:
| 1. | In the MobileIron Core Admin Portal configure a Standalone Sentry for KKDCP. |
| 2. | For end-to-end setup of single sign-on With Kerberos Proxy see the Single Sign-on With Kerberos Proxy document. |