Access Gateway for Cloud allows user authentication with either name/password or Integrated Windows Authentication with Kerberos. If you choose to use Integrated Windows Authentication, you must configure Kerberos.
Access Gateway for Cloud only supports the use of one Kerberos realm. If there are multiple Active Directory domains used as the identity source, all of the domains must use the same realm. The initial domain created is the only domain where you can configure the Integrated Windows Authentication feature.
Use the following information to allow Kerberos authentication between Active Directory and Access Gateway for Cloud.
As an Administrator in Active Directory, use MMC to create a new user within the search context specified during the initialization of the appliance.
Name the new user according to the Host and DNS name of the appliance. For example, if the public DNS of the appliance is serv1.ag4c.com and the context that has been enabled for cloud is ou=acme corporation,dc=ag4c,dc=com, use the following information to create the user.
First name: serv1
User login name: HTTP/serv1.ag4c.com
Pre-windows logon name: serv1
Set password: Specify the desired password.
For example: Passw0rd
Password never expires: Select this option.
Associate the new user with the service principal name.
Any domain or realm references must be uppercase.
On the Active Directory server, open a cmd shell.
At the command prompt enter:
setspn -A HTTP/appliancepublicdns@UPN.SUFFIX newusershortname
For example: setspn -A HTTP/serv1.ag4c.com@AG4C.COM serv1
Verify setspn by entering setspn -L shortusername
For example: setspn -L serv1
Generate the keytab file using the ktpass utility.
Any domain or realm references must be uppercase.
At the command prompt enter:
ktpass /out filename /princ servicePrincipalName /mapuser userPrincipalName /pass userPassword
For example: ktpass /out nidp.keytab /princ HTTP/serv1.ag4c.com@AG4C.COM /mapuser serv1@AG4C.COM /pass Passw0rd
Ignore the message Warning: pType and account type do not match.
Copy the nidp.keytab file created in Step 3 to the browser of the client computer that you are using for administration.
The following steps enable the appliance to use Kerberos.
Log in to the administration page.
For more information, see Section 3.1, Accessing the Administration Page.
Click the primary Active Directory connection, then click Configure.
Click Authentication, then check Integrated Windows Authentication.
In the Keytab field click Browse, then browse to and select the nidp.keytab file generated in Configuring the Kerberos User in Active Directory.
Click OK to save the changes.
Click Apply to apply the changes to the appliance.
To complete the Kerberos configuration, configure the end user browser. For more information, see Section 8.3, Configuring the End User Browsers for Kerberos Authentication. For more information about users’ authentication experience, see Section 10.7, Typical Use Cases for Authentication to the SaaS Applications.