Secure Mobile Access 12.4 Administration Guide

Configuring Kerberos Constrained Delegation

To enable Kerberos Constrained Delegation (KCD)

  1. Navigate to System Configuration > Services.

  2. Under Web proxy service, click Configure.

    The Web Proxy Service page displays.

  3. Click the Web Application Profiles tab.

  4. From the list of Web Proxy Services, select the web proxy service you want.

    The Edit Web Application Profile page displays.

  5. Select the checkboxes for the options you want:

    • Enable Kerberos Constrained Delegation – The Enable Kerberos Constrained Delegation option should be checked only if the Kerberos Single Sign-On option is checked.
    • Enable fallback – The Enable fallback option should be checked only if the Enable Kerberos Constrained Delegation option is checked.

      The Enable fallback option prompts the user to enter their credentials again if KCD has failed for some reason. If Enable fallback is unchecked and KCD has failed, an error page is displayed.

      On Firefox, Enable fallback works only if both Negotiate and NTLM are enabled on the backend resource, in their respective order. Enable fallback does not work on Safari in this case. Safari displays a prompt to re-enter credentials, but it keeps failing. Enable fallback works only when NTLM is the only authentication provider on the backend, which is not a supported configuration for KCD.

  6. If the selected web resource has form based login, use Dynamic Single Sign-On profile to configure Single Sign-On. For more information, see Creating Forms-Based Dynamic Single Sign-On Profiles.
  7. Click Save.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.