3.8 Configuring Integrated Windows Authentication with Kerberos

Access Gateway for Cloud allows user authentication with either name/password or Integrated Windows Authentication with Kerberos. If you choose to use Integrated Windows Authentication, you must configure Kerberos.

Access Gateway for Cloud only supports the use of one Kerberos realm. If there are multiple Active Directory domains used as the identity source, all of the domains must use the same realm. The initial domain created is the only domain where you can configure the Integrated Windows Authentication feature.

Use the following information to allow Kerberos authentication between Active Directory and Access Gateway for Cloud.

3.8.1 Configuring the Kerberos User in Active Directory

  1. As an Administrator in Active Directory, use MMC to create a new user within the search context specified during the initialization of the appliance.

    Name the new user according to the Host and DNS name of the appliance. For example, if the public DNS of the appliance is serv1.ag4c.com and the context that has been enabled for cloud is ou=acme corporation,dc=ag4c,dc=com, use the following information to create the user.

    First name: serv1

    User login name: HTTP/serv1.ag4c.com

    Pre-windows logon name: serv1

    Set password: Specify the desired password.

    For example: Passw0rd

    Password never expires: Select this option.

  2. Associate the new user with the service principal name.

    Any domain or realm references must be uppercase.

    1. On the Active Directory server, open a cmd shell.

    2. At the command prompt enter:

      setspn -A HTTP/appliancepublicdns@UPN.SUFFIX newusershortname

      For example: setspn -A HTTP/serv1.ag4c.com@AG4C.COM serv1

    3. Verify setspn by entering setspn -L shortusername

      For example: setspn -L serv1

  3. Generate the keytab file using the ktpass utility.

    Any domain or realm references must be uppercase.

    1. At the command prompt enter:

      ktpass /out filename /princ servicePrincipalName /mapuser userPrincipalName /pass userPassword

      For example: ktpass /out nidp.keytab /princ HTTP/serv1.ag4c.com@AG4C.COM /mapuser serv1@AG4C.COM /pass Passw0rd

    2. Ignore the message Warning: pType and account type do not match.

  4. Copy the nidp.keytab file created in Step 3 to the browser of the client computer that you are using for administration.

3.8.2 Configuring the Appliance to Use Integrated Windows Authentication with Kerberos

The following steps enable the appliance to use Kerberos.

  1. Log in to the administration page.

    For more information, see Section 3.1, Accessing the Administration Page.

  2. Click the primary Active Directory connection, then click Configure.

  3. Click Authentication, then check Integrated Windows Authentication.

  4. In the Keytab field click Browse, then browse to and select the nidp.keytab file generated in Configuring the Kerberos User in Active Directory.

  5. Click OK to save the changes.

  6. Click Apply to apply the changes to the appliance.

3.8.3 Configuring the End User Browsers

To complete the Kerberos configuration, configure the end user browser. For more information, see Section 8.3, Configuring the End User Browsers for Kerberos Authentication. For more information about users’ authentication experience, see Section 10.7, Typical Use Cases for Authentication to the SaaS Applications.