3.10 Configuring Integrated Windows Authentication with Kerberos

CloudAccess allows user authentication with either name and password or Integrated Windows Authentication with Kerberos if your identity source is Active Directory. If you choose to use Integrated Windows Authentication, you must configure Kerberos.

CloudAccess supports the use of only one Kerberos realm. If there are multiple Active Directory domains used as the identity source, all of the domains must use the same realm.

Use the information in the following sections to enable Kerberos authentication between Active Directory and CloudAccess.

3.10.1 Configuring the Kerberos User in Active Directory

To configure Kerberos on your Active Directory domain:

  1. As an Administrator in Active Directory, use MMC to create a new user within the search context specified during the initialization of the appliance.

    Name the new user according to the Host and DNS name of the appliance. For example, if the public DNS of the appliance is serv1.cloudaccess.com and the context that has been enabled for cloud is ou=acme corporation,dc=cloudaccess,dc=com, use the following information to create the user:

    First name: serv1

    User login name: HTTP/serv1.cloudaccess.com

    Pre-windows logon name: serv1

    Set password: Specify the desired password. For example: Passw0rd

    Password never expires: Select this option.

  2. Associate the new user with the service principal name.

    Any domain or realm references must be uppercase.

    1. On the Active Directory server, open a cmd shell.

    2. At the command prompt, enter the following:

      setspn -A HTTP/appliancepublicdns@UPN.SUFFIX newusershortname

      For example: setspn -A HTTP/serv1.cloudaccess.com@CLOUDACCESS.COM serv1

    3. Verify setspn by entering setspn -L shortusername

      For example: setspn -L serv1

  3. Generate the keytab file using the ktpass utility.

    Any domain or realm references must be uppercase.

    1. At the command prompt, enter the following:

      ktpass /out filename /princ servicePrincipalName /mapuser userPrincipalName /pass userPassword

      For example: ktpass /out nidp.keytab /princ HTTP/serv1.cloudaccess.com@CLOUDACCESS.COM /mapuser serv1@CLOUDACCESS.COM /pass Passw0rd

    2. Ignore the message Warning: pType and account type do not match.

  4. Copy the nidp.keytab file created in Step 3 to the browser of the client computer that you are using for administration.

3.10.2 Configuring the Appliance to Use Integrated Windows Authentication with Kerberos

The following steps enable the appliance to use Integrated Windows Authentication (IWA) with Kerberos, if your identity source is Active Directory.

  1. Log in with an appliance administrator account to the Admin page at https://appliance_dns_name/appliance/index.html.

  2. Click the Active Directory icon in the Identity Sources palette, then click Configure. (Do not drag the icon to the Identity Sources panel as you would when configuring the connector for Active Directory itself. These IWA configuration options are global for all connectors for Active Directory.)

  3. Select Integrated Windows Authentication.

  4. Next to the Keytab field click Browse, then browse to and select the nidp.keytab file generated in Configuring the Kerberos User in Active Directory.

  5. Click OK to save the changes.

  6. Click Apply to apply the changes to the appliance.

3.10.3 Configuring User Browsers

To complete the Kerberos configuration for Active Directory, configure the user browser. For more information, see Section 8.2, Configuring End User Browsers for Kerberos Authentication.