Kerberos Delegation Overview
Kerberos Delegation means a system and user is configured to request Kerberos tokens on behalf of another user.
Since Unified Access Gateway is not joined to the domain we need to add AD Domain Kerberos support to UAG. This is done with the help of generating a Keytab file. This file contains necessary security tokens/hashes for Unified Access Gateway to interact with Microsoft AD. The Keytab file contains the information about the user delegated to request Kerberos tokens on another users’ behalf.
Microsoft recommends that each internal Web Application has its own delegated user and therefore different Keytab file, technically you can have one delegated user and Keytab file for many different internal apps, but you are taking the risk in case the Keytab file is compromised to give access to all internal apps. When you have one user / Keytab file per application this allows you to disable access to only one system at a time.
While creating the user and keytab file for each application requires more administration it has its clear security benefits.
REALM is often something you hear talking about Kerberos. A REALM is basically your trust boundaries. In AD Kerberos that is your clients, AD servers and application servers all joined to the domain. Each one trusts each other since they are all part of the same Kerberos REALM.
- AD Domain also Kerberos REALM: CORP.LOCAL
- Internal web server computer name: INTRANET
- Internal web server URL: http://it.corp.local
- Internal web application (Kerberos enabled): http://it.corp.local/itbudget
- URL to be used for external access to internal app: https://uag.airwlab.com/itbudget vIDM FQDN: https://vidm.airwlab.com
- User to be used for Kerberos delegation: iis_it (UPN: [email protected])
1. Authentication Flow
The below diagram describe step by step the authentication flow that you will be configuring in this lab.
- Client navigates to application URL https://uag.airwlab.com/itbudget
- Client is redirected to IDP (Workspace One) for authentication (https://vidm.airwlab.com). IDP issue SAML assertion upon authentication.
- Client passes SAML assertion to UAG (http://uag.airwlab.com). UAG validates SAML assertion is from trusted IDP.
- UAG extracts the client’s username from the SAML assertion and requests a Kerberos ticket from Active Directory (CORP.LOCAL) on behalf of that user.
- Unified Access Gateway authenticates against the internal web server (https://it.corp.local) using the Kerberos ticket obtained from AD.