Kerberos-constrained delegation

Kerberos is a network authentication protocol, designed to use secret key cryptography for strong authentication in client-server applications. Pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password) are stored in the keytab file. The keytab file allows you to authenticate to various remote systems using Kerberos without entering a password. When you change your Kerberos password, you must recreate all of your keytabs. You can create keytab files on any computer that has a Kerberos client installed and copy for use on other computers. If you use a Security Assertion Markup Language (SAML) identity provider (IdP) and want Enterprise Application Access to carry out Kerberos-constrained delegation for single sign-on (SSO) into a back end application, you need to add a keytab for Kerberos-constrained delegation, and then create a keytab object for each in-use service domain in your environment.

Forward Kerberos ticket-granting ticket to application

Prerequisite:
Active Directory (AD) added to Enterprise Application Access and assigned to an EAA connector that is able to reach the AD. See Add or edit an LDAP, AD or AD LDS directory.

When you use Kerberos single sign-on (SSO) as the application-facing authentication mechanism in Enterprise Application Access, the client can store a user's login session key in its ticket cache along with its full ticket-granting ticket (TGT). When you perform this action, you create an application policy for the kerberized application. You should also assign the AD as the authentication directory and remove all other directories assigned to the application.

  1. Log in to Enterprise Application Access.

  2. In the Enterprise Application Access navigation menu, select Applications.

  3. On the application card, click Settings, and select ADVANCED SETTINGS.

  4. In Application-facing Authentication Mechanism select Kerberos.

  5. Select Forward Kerberos Ticket-Granting Ticket to App.

  6. In Application authentication domain, type the Kerberos realm of the application. If it is the same as the AD domain, specify the AD domain here.

  7. In Service Principal Name (SPN), verify the auto-generated configuration is correct. If it is not, enter changes as needed.

  8. Click Save.

  9. Deploy the application.

Add a keytab for Kerberos-constrained delegation

  1. On a computer with an installed Kerberos client, create a keytab file and save it on the system which you use to access Enterprise Application Access.

  2. Log in to Enterprise Application Access.

  3. In the Enterprise Application Access navigation menu, select System > Keytabs > Add Keytab.

  4. Enter the following information for the keytab:

    • Name. A unique identifier for the keytab.

    • Realm. The service domain that your applications belong to. For example, domain.company.com.

    • Keytab type. Select Kerberos delegation.

  5. To upload a keytab file, click Choose File.

  6. Select the keytab file from your system.

  7. Click Save.
    The keytab appears as a card on the Keytabs page.

The keytab deploys to all connectors in the Active Directory (AD) configuration. Enterprise Application Access selects the AD for deployment based on the user credentials when adding the keytab.

Interact with a keytab card

  1. Log in to Enterprise Application Access.

  2. In the Enterprise Application Access navigation menu, select System > Keytabs.
    The keytabs page appears.

  3. Identify the keytab card.

  4. Click Edit to change the keytab name, realm, or file.

  5. Click Delete to remove a keytab.

  6. Click Information to see the deployment status of the keytab with each connector.

  7. Click List to see which realm (from) and principal (to) that the keytab request is interacting with.


Did this page help you?