Changes to KCD Deployments for SEG V2


With the release of AirWatch Console 9.2.3, SEG V2 now supports Kerberos Constrained Delegation. As SEG V2 features significant performance and stability improvements, VMware AirWatch encourages all customers to migrate to this version. 

Previously, Classic SEG could operate in a cross-domain (workgroup) mode or a domain-joined group. VMware AirWatch maintained two separate guides for this as there each was in need of different requirements. Going forward, these requirements have been condensed and combined into a single set that closely represents the cross-domain KCD deployment. 



KCD configuration has been simplified by removing all configurations local to the SEG server. Any configurations within MMC, IIS or other local applications are no longer required, as they are part of SEG V2's architecture and configuration. These settings have been replaced by items 1-4 displayed in the screenshot and outlined as follows:

  1. The chain of trust for client certificates is now uploaded in the AW console as part of the SEG configuration (previously done in MMC).
  2. The ability to require client certificates is now also part of the SEG configuration. This is required for KCD or may be used as an extra security measure on its own while leveraging basic authentication (previously done in IIS).
  3. Configuring the SEG server (IIS, Security Policies) is no longer required – these features are not used directly as the SEG architecture has changed.
  4. Domain controllers must have their FQDN defined as opposed to just hostname (previously only hostname was required for cross-domain KCD). Also note that multiple domains can be specified here such that a single SEG can serve multiple realms.



Additionally, it is recommended to create a second MEM config when migrating to V2, as the config values have changed. It is important to note all guarantees regarding migrating to V2 still hold; it can be installed on the same SEG server, without re-push of profiles and with minimal downtime. For additional information, please refer to the SEG V2 KCD Guide as well as the VMware AirWatch SEG Guide


Support Contact Information

To open a Support Request, please call your local support line or submit a Support Request via My Workspace ONE.


Best Regards,

The VMware Workspace ONE Team

Other Languages: 日本語

Have more questions? Submit a request


Article is closed for comments.