How to change the Workspace ONE Access KDC configuration on a cluster

Typically, on an highly available Workspace ONE Access deployment, initially the first server is configured and services such as the KDC (used for iOS Mobile SSO) are initialized. After that, this server is cloned and the 3-node cluster is formed.

The KDC service is usually initialized by running the following command:

/etc/init.d/vmware-kdc init --realm YOURKDCREALM.COM --subdomain yoursubdomain.com

There might be a case where you need to change the KDC realm or subdomain after the cluster is already up and running. If you simply run the vmware-kdc init (…) –force command on all servers, they will no longer share the same configuration and you will probably get error messages when configuring iOS Mobile SSO.

A solution for this is to re-configure KDC on the first Workspace ONE Access node, export this configuration and import it on the other nodes.

First Workspace ONE Access node:

In order to re-configure KDC, you can use the following command:

/etc/init.d/vmware-kdc init --realm YOURNEWKDCREALM.COM --subdomain yournewsubdomain.com --force

To export the new configuration, use the following command:

/etc/init.d/vmware-kdc dump <filename>

As a <filename>, you can use something like /tmp/kdc-cfg.tar .

Use your preferred tool to copy the configuration file to the other servers.

Second and third nodes:

Change the ownership of the configuration file:

chown horizon <filename>

Re-configure KDC with the new parameters and then import the new configuration file:

/etc/init.d/vmware-kdc init --realm YOURNEWKDCREALM.COM --subdomain yournewsubdomain.com --force

/etc/init.d/vmware-kdc load --force <filename>

Restart the server.

—