When Kerberos is configured in the back-end application, to set up identity bridging in Unified Access Gateway, upload the identity provider metadata and keytab file and configure the KCD realm settings.
Note: This release of identity bridging supports cross-domain with a single domain setup. This means the user and the SPN account can be in different domains.
When identity bridging is enabled with header-based authentication, keytab settings and KCD realm settings are not required.
Before you configure the identity bridging settings for Kerberos authentication, make sure that the following is available.
- An identity provider is configured and the SAML metadata of the identity provider saved. The SAML metadata file is uploaded to Unified Access Gateway (SAML scenarios only).
- For Kerberos authentication, a server with Kerberos enabled with the realm names for the Key Distribution Centers to use identified.
- For Kerberos authentication, upload the Kerberos keytab file to Unified Access Gateway. The keytab file includes the credentials for the Active Directory service account that is set up to get the Kerberos ticket on behalf of any user in the domain for a given back-end service.
- Ensure that the following ports are open:
- Port 443 for incoming HTTP requests
- TCP/UDP port 88 for Kerberos communication with Active Directory
- Unified Access Gateway uses TCP to communicate with back-end applications. The appropriate port on which the back-end is listening, for example, TCP port 8080.
Note:
- Configuring identity bridging for both SAML and Certificate to Kerberos for two different reverse proxy instances on the same Unified Access Gateway instance is not supported.
- Web Reverse Proxy instances with certificate authority and without certificate-based authentication that does not have identity bridging enabled on the same appliance is not supported.