CA API Gateway 9.1

9.4 9.1

Configure Kerberos Delegation

The supports Kerberos Delegation. This allows the Gateway to extract credentials from the Kerberos token to request a service ticket for routing.
gateway83
The
API Gateway
 supports Kerberos Delegation. This allows the Gateway to extract credentials from the Kerberos token to request a service ticket for routing.
Refer to the diagram in Configure the Gateway for Kerberos Token-Based Authentication to see where this task fits within the configuration workflow.
You can also configure Kerberos delegation through the 
API Gateway
 -
XML VPN Client
. For details on how to do this, see "Authenticate a Client via Kerberos" in the 
XML VPN Client
online documentation
If the XML VPN Client is used, it must be connected to a Gateway policy that contains the Require WS-Security Kerberos Token Profile Credentials Assertion.
To configure Kerberos delegation on the Gateway
:
  1. Ensure that the client is logged into the domain that is trusted by the Key Distribution Center (KDC). The client must be able to acquire the Kerberos ticket from the KDC that issued the keytab.
    The KDC is also known as the "Active Directory". The KDC is displayed when you run Manage Kerberos Configuration.
  2. Ensure that the service policy contains both these assertions:
  3. Access the
    Properties
     for the Route via HTTP(S) assertion.
  4. Under the
    Authentication
     tab, select
    Use Windows Integrated
     and then select
    Use Delegated Credentials
    .
  5. Click
    OK
     to exit the assertion properties.
When the Gateway authenticates a client using Kerberos delegation, the Authorization Data attributes from the Kerberos ticket are placed into context variables. For a list of the attributes, see Kerberos Ticket Authorization Context Variables.

Content feedback and comments