Before you can use the built-in Kerberos authentication method, you must initialize the Key Distribution Center (KDC) in the VMware Identity Manager appliance.

To initialize KDC, you assign your identity manager hostname to the Kerberos realms. The domain name is entered in upper-case letters. If you are configuring multiple Kerberos realms, it is recommended that you use descriptive names that end with your identity manager domain name. For example SALES.MY-IDENTITYMANAGER.EXAMPLE.COM. If you configure subdomains, type the subdomain name in lower-case letters.

VMware Identity Manager is installed and configured.

Realm name identified. See Pre- KDC Configuration Decisions.


SSH into the VMware Identity Manager appliance as the root user.


Initialize the KDC. Enter /etc/init.d/vmware-kdc init --realm {REALM.COM} --subdomain {sva-name.subdomain}.

For example: /etc/init.d/vmware-kdc init --realm MY-IDM.EXAMPLE.COM --subdomain

If you are using a load balancer with multiple identity manager appliances, use the name of the load balancer in both cases.


Restart the VMWare Identity Manager service. Enter service horizon-workspace restart.


Start the KDC service. Enter service vmware-kdc restart.

Create public DNS entries. DNS records must be provisioned to allow the clients to find the KDC. See Creating Public DNS Entries for KDC with Built-in Kerberos.