CloudAccess allows user authentication with either name and password or Integrated Windows Authentication with Kerberos if your identity source is Active Directory. If you choose to use Integrated Windows Authentication, you must configure Kerberos.
CloudAccess supports the use of only one Kerberos realm. If there are multiple Active Directory domains used as the identity source, all of the domains must use the same realm.
Use the information in the following sections to enable Kerberos authentication between Active Directory and CloudAccess.
As an Administrator in Active Directory, use MMC to create a new user within the search context specified during the initialization of the appliance.
Name the new user according to the Host and DNS name of the appliance. For example, if the public DNS of the appliance is serv1.cloudaccess.com and the context that has been enabled for cloud is ou=acme corporation,dc=cloudaccess,dc=com, use the following information to create the user:
First name: serv1
User login name: HTTP/serv1.cloudaccess.com
Pre-windows logon name: serv1
Set password: Specify the desired password. For example: Passw0rd
Password never expires: Select this option.
Associate the new user with the service principal name.
Any domain or realm references must be uppercase.
On the Active Directory server, open a cmd shell.
At the command prompt, enter the following:
setspn -A HTTP/appliancepublicdns@UPN.SUFFIX newusershortname
For example: setspn -A HTTP/serv1.cloudaccess.com@CLOUDACCESS.COM serv1
Verify setspn by entering setspn -L shortusername
For example: setspn -L serv1
Generate the keytab file using the ktpass utility.
Any domain or realm references must be uppercase.
At the command prompt, enter the following:
ktpass /out filename /princ servicePrincipalName /mapuser userPrincipalName /pass userPassword
For example: ktpass /out nidp.keytab /princ HTTP/serv1.cloudaccess.com@CLOUDACCESS.COM /mapuser serv1@CLOUDACCESS.COM /pass Passw0rd
Ignore the message Warning: pType and account type do not match.
Copy the nidp.keytab file created in Step 3 to the browser of the client computer that you are using for administration.
The following steps enable the appliance to use Integrated Windows Authentication (IWA) with Kerberos, if your identity source is Active Directory.
Log in with an appliance administrator account to the Admin page at https://appliance_dns_name/appliance/index.html.
Click the Active Directory icon in the Identity Sources palette, then click Configure. (Do not drag the icon to the Identity Sources panel as you would when configuring the connector for Active Directory itself. These IWA configuration options are global for all connectors for Active Directory.)
Select Integrated Windows Authentication.
Next to the Keytab field click Browse, then browse to and select the nidp.keytab file generated in Configuring the Kerberos User in Active Directory.
Click OK to save the changes.
Click Apply to apply the changes to the appliance.
To complete the Kerberos configuration for Active Directory, configure the user browser. For more information, see Section 8.2, Configuring End User Browsers for Kerberos Authentication.