Kerberos Delegation Overview

Kerberos Delegation means a system and user is configured to request Kerberos tokens on behalf of another user.

Since Unified Access Gateway is not joined to the domain we need to add AD Domain Kerberos support to Unified Access Gateway. This is done with the help of generating a Keytab file. This file contains necessary security tokens/hashes for Unified Access Gateway to interact with AD. The Keytab file contains the information about the user delegated to request Kerberos tokens on another users’ behalf.

Microsoft recommends that each internal Web Application has its own delegated user and therefore different Keytab file, technically you can have one delegated user and Keytab file for many different internal apps, but you are taking the risk in case the Keytab file is compromised to give access to all internal apps. When you have one user / Keytab file per application this allows you to disable access to only one system at a time.

While creating the user and keytab file for each application requires more administration it has its clear security benefits.

REALM is often something you hear talking about Kerberos. A REALM is basically your trust boundaries. In AD Kerberos that is your clients, AD servers and application servers all joined to the domain. Each one trusts each other since they are all part of the same Kerberos REALM.

Environment configuration:

  • AD Domain and Kerberos REALM: CORP.LOCAL
  • Internal web server computer name: INTRANET
  • Internal web server URL: http://it.corp.local
  • Internal web application (Kerberos enabled): http://it.corp.local/itbudget
  • URL to be used for external access to internal app: https://uag.airwlab.com/itbudget
  • VMware Identity Manager FQDN: https://vidm.airwlab.com
  • User to be used for Kerberos delegation: [email protected]

1. Authentication Flow

The below diagram describe step by step the authentication flow that you will be configuring in this lab.

Authentication Flow
  1. Client navigates to application URL https://uag-internet.corp.local/itbudget.
  2. Client is redirected to the Identity Provider (IdP), which is Workspace ONE in this setup, for authentication (https://vidm.corp.local). The IdP issue a SAML assertion upon authentication.
  3. Client passes the SAML assertion to the Unified Access Gateway (http://uag-internet.corp.local). The Unified Access Gateway validates the SAML assertion is from the trusted IdP by using the SAML certificate from the IdP Metadata uploaded.
  4. The Unified Access Gateway extracts the client’s username from the SAML assertion and requests a Kerberos ticket from Active Directory (CORP.LOCAL) on behalf of that user.
  5. Unified Access Gateway authenticates against the internal web server (https://it.corp.local) using the Kerberos ticket obtained from AD.