Authentication delegation configuration
The configuration of an Authentication Delegation module.
-
The module can perform impersonation with Kerberos Constrained Delegation (KCD).
-
By using username/password from modules (Authentication and Forms) it can do Basic or NTLM authentication against back-end.
-
This module can also create a Pointsharp SSO ticket (contains encrypted username and upn) which is sent to back-end.
| See also Authentication Delegation for Exchange SSO (Single Sign-On) and KCD towards single Exchange Server |
| The module that is used to perform the authentication has to be before this module in the rule’s Module Configuration Name list. |
| Property | Description |
|---|---|
Name |
The name of the module configuration. |
Authentication Delegation |
Type of Authentication Delegation to be used. |
Kerberos Constrained Delegation
| Property | Description |
|---|---|
UPN Attribute |
The attribute name which its value is to be used as UPN. The same attribute need to be defined in the authentication method at PSID. Default: userprincipalname |
Use Pointsharp SSO |
Enable/Disable to find/read Pointsharp SSO Ticket. |
Shared Key |
The Shared key (password) to be used for decrypting Pointsharp SSO Ticket. |
IV |
The initialization vector (IV) to be used for decrypting Pointsharp SSO Ticket. |
Use Keytab |
If keytab is configured in general settings, keytab will be used for this authentication. |
Basic
| Property | Description |
|---|---|
Username Attribute |
The attribute name which its value is to be used as username. The same attribute need to be defined in the authentication method at PSID. Default: samaccountname |
Domain |
The domain to be used to create the credential against backend. |
NTLM
| Property | Description |
|---|---|
Username Attribute |
The attribute name which its value is to be used as username. The same attribute need to be defined in the authentication method at PSID. Default: samaccountname |
Domain |
The domain to be used to create the credential against backend. |
Pointsharp SSO
The SSO module is used to enable single sign-on to preserve authentication data for the current session between services.
This module is encrypting its cookie data to avoid other services to read the preserved authentication data. The encryption configuration can be changed but has to be the same for all services that needs to read the cookie data, i.e. all Pointsharp Access Gateways in a serial connection. z
| Property | Description |
|---|---|
Username Attribute |
The attribute name which its value is to be used as username. The same attribute need to be defined in the authentication method at PSID. Default: samaccountname |
UPN Attribute |
The attribute name which its value is to be used as UPN. The same attribute need to be defined in the authentication method at PSID. Default: userprincipalname |
Shared Key |
The Shared key (password) to be used for encrypting/decrypting Pointsharp SSO Ticket. |
IV |
The initialization vector (IV) to be used for encrypting/decrypting Pointsharp SSO Ticket. |
| Since the SSO module is requiring the UPN and Username, it is important that the module is used with a module that is configured to retrieve these values when authenticating. |
Kerberos Constrained Delegation
Configure Kerberos.NET Constrained Delegation for Pointsharp Access Gateway.
| Property | Description |
|---|---|
Use Service Account |
Enable Kerberos.net. Default: Disabled |
KCD Server |
The KCD Server. |
Service Account |
Service account used for delegation in Server Principal Name format. |
Service Account Password |
Password for Service Account. |