Introduction to Kerberos Constrained Delegation Authentication for SEG V2

Use certificates and Kerberos to authenticate instead of usernames and passwords.

Kerberos Constrained Delegation (KCD) eliminates the use of basic authentication for email. The devices receive certificates within their Exchange ActiveSync profile, instead of user name and password authentication for email. SEG uses the unique user certificate to request secure Kerberos tickets from the domain controller and embeds these tickets with the ActiveSync request to Exchange. In this way, authentication and authorization is secured by Workspace ONE UEM powered by AirWatch, while also providing a seamless user experience.

The following diagram shows a typical SaaS deployment.

Kerberos Constrained Delegation Saas deployment architecture

It is not required that the PKI infrastructure should be part of the domain.

Requirements for Using the Client Certificate Authentication

Before configuring the SEG to use client certificate authentication, meet the following pre-requisites.

Windows Server (2008 R2 or higher)
Certificate Authority (CA) integrated with Workspace ONE UEM to issue certificates to your mobile devices. In this documentation, Microsoft is used as an example for a CA. However, Workspace ONE UEM supports certificates from multiple CAs.
A trust relationship between the CA and the Directory Services server.
A domain service account to be used by SEG to impersonate the user and acquire the Kerberos tickets.
An ASA domain account to be used to represent the EAS server. This can either be a user account or a computer account. Refer to “Leveraging an ASA Credential Type” for more information.
A Certificate Revocation List (CRL) for CA that is accessible over HTTP and CRL distribution point. For more information, see the Configure Certificate Revocation List over HTTP section in the Configure Secure Email Gateway (SEG) V2 for Kerberos Constrained Delegation (KCD) topic.
Administrative access to the following in your enterprise environment:
- Active Directory (AD) Users & Computers
- Exchange ActiveSync (EAS) or Client Access Servers (CAS)
- Windows Server on which the SEG is installed
- Certificate Authority (CA)

Note: If there are multiple EAS servers in an array, you need to create an Alternate Service Account (ASA) in Active Directory. Instructions can be found in the Leveraging an ASA Credential Type section of the Configure KCD for Cross Domain Authentication topic.

Communication paths should be as noted below.

Table 1. Communication Paths
Source	Port	Protocol	Destination
SEG	80	HTTP	CRL Distribution Point
SEG	88	LDAP\kerberos	Domain Controller
SEG	80/443	HTTP (S)	Exchange ActiveSync
SEG	443	HTTPS	AW API
AW	443	HTTPS	SEG
Device	443	HTTPS	SEG