Single sign-on using KCD

These instructions provide information about how Pointsharp Access Gateway can create single sign-on (SSO) using Kerberos Constrained Delegation (KCD) to Back-end resources.

SSO

Single sign-on
KCD

Kerberos Constrained Delegation
SPN

Service Principal Name

Planning

The PSGW can use two different methods to create SSO using KCD:

  • Service account based KCD

  • Computer account based KCD

These methods differ in a few significant ways.

Service account based KCD

The service account based KCD is a new Kerberos implementation and is the preferred way to do KCD.

  • This method does not require the computer to be a member of the domain, instead a service account from the domain is used.

  • The application pool does not require local system privileges.

    With this method, delegation rights are given to the service account to the target Service Principal Name (SPN).

Computer account based KCD

The Computer account based KCD is the traditional way that the PSGW has been doing KCD. This method requires that:

  • the Pointsharp Access Gateway performing KCD is a member of the same domain as the backend resource for which it will create SSO, and

  • that the application pool needs to be running as Local system.

    With this method, delegation rights are given to the PSGWs computer object to the target SPN.

Configuration

When the decision has been made which method to use for KCD, the Pointsharp Access Gateway needs to be configured. SSO is generally handled by the module modAuthenticationDelegation. The settings needed for service account based KCD, and computer account based KCD, can be found below.

Service account based KCD

The following configuration is used for the modAuthenticationDelegation to configure service account based KCD.

  • Type: Kerberos Constrained Delegation

  • UPN Attribute: userPrincipalName

  • Use Service Account: checked

  • Domain Controller: <FQDN of a Domain Controller>

  • Service Account: <service account in user@DOMAIN format>

  • Service Account Password: <Password of the service account>

Service account delegation tab creation

When using service account based KCD, a normal user account without any special permissions is recommended.

Unlike a computer account, a service account does not have the delegation tab in its properties by default.

An SPN has to be added to the account, to get the delegation tab. See Add SPN.

Computer account based KCD

The following configuration is used for the modAuthenticationDelegation to configure computer account based KCD.

  • Type: Kerberos Constrained Delegation

  • UPN Attribute: userPrincipalName

Delegation

The actual delegation settings do not differ between the two methods.

  • Trust this user for delegation to specified services only.

  • Use any authentication protocol.

Services to which this account can present delegated credentials:

Service type User or Computer

http

host.domain.tld

Constrained delegation methods KCD or RBCD

See Single sign-on using KCD or RBCD — configuration