Guide
TrainingSupportCommunity

Kerberos-constrained delegation

Suggest Edits

Kerberos is a network authentication protocol, designed to use secret key cryptography for strong authentication in client-server applications. Pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password) are stored in the keytab file. The keytab file allows you to authenticate to various remote systems using Kerberos without entering a password. When you change your Kerberos password, you must recreate all of your keytabs. You can create keytab files on any computer that has a Kerberos client installed and copy for use on other computers. If you use a SAML identity provider and want Enterprise Application Access to carry out Kerberos-constrained delegation for single sign-on into a back end application, you need to add a keytab for Kerberos-constrained delegation, and then create a keytab object for each in-use service domain in your environment.

Forward Kerberos ticket-granting ticket to application

Prerequisite:
Active Directory (AD) added to Enterprise Application Access and assigned to an EAA connector that is able to reach the AD. See Add or edit an LDAP, AD or AD LDS directory.

When you use Kerberos single sign-on (SSO) as the application-facing authentication mechanism in Enterprise Application Access, the client can store a user's login session key in its ticket cache along with its full ticket-granting ticket (TGT). When you perform this action, you create an application policy for the kerberized application. You should also assign the AD as the authentication directory and remove all other directories assigned to the application.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Applications > Applications.

  3. Select your application to open it.

  4. In Advanced > Application-facing Authentication Mechanism select Kerberos.

  5. Select Forward Kerberos Ticket-Granting Ticket to App.

  6. In Application authentication domain type the Kerberos realm of the application. If it is the same as the AD domain, specify the AD domain here.

  7. In Service Principal Name (SPN) verify the auto-generated configuration is correct. If it is not, enter changes as needed.

  8. Click Save and Deploy.

Add a keytab for Kerberos-constrained delegation

  1. On a computer with an installed Kerberos client, create a keytab file and save it on the system which you use to access Enterprise Center.

  2. Log in to Enterprise Center.

  3. In the Enterprise Center navigation menu, select Identity & Users > Keytabs.

  4. Click Add keytab.

  5. Enter the following information for the keytab:

    • Name. A unique identifier for the keytab.

    • Realm. The service domain that your applications belong to. For example, domain.company.com.

    • Keytab type. Select Kerberos delegation.

  6. To upload a keytab file, click Choose File.

  7. Select the keytab file from your system.

  8. Click Save.
    The keytab appears as a card on the Keytabs page.

The keytab deploys to all connectors in the Active Directory (AD) configuration. Enterprise Center selects the AD for deployment based on the user credentials when adding the keytab.

Interact with a keytab card

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Identity & Users > Keytabs.
    The keytabs page appears.

  3. Identify the keytab.

  4. Click Edit keytab on the keytab name, realm, or file to change the it.

  5. Click Delete keytab to remove a keytab.

  6. Click Deploy keytab and in the dialog box, click Deploy, to deploy it. The keytab deploys to all
    connectors in the Active Directory (AD) configuration. EAA selects the AD for deployment based on specific URL the user credentials when adding the keytab.

  7. Click List keytab to see which realm (from) and principal (to) that the keytab request is interacting with.

Updated about 1 year ago