Secure Mobile Access 12.4 Administration Guide

Kerberos Constrained Delegation

SMA supports Kerberos Constrained Delegation (KCD). Kerberos Constrained Delegation (KCD) provides authentication support using an existing Kerberos infrastructure, which does not need to trust front-end services to delegate a service.

With Kerberos Constrained Delegation (KCD), users who are authenticated using non-Kerberos methods, such as Certificate, Smart Card, or RADIUS, can gain access to Kerberos protected resources without having to enter any additional credentials. For example, a user that authenticates using Single Sign-On (SSO), rather than Kerberos, is allowed access to Kerberos protected web resources.

Most Single Sign-On (SSO) methods rely on the conventional username/password credentials. However, these credentials do not work with Certificate, Smart Card, or RADIUS authentication. With Kerberos Constrained Delegation (KCD), the administrator configures the usernames and passwords for Kerberos Constraine Delegation (KCD).

Microsoft’s Kerberos v5 extension is called Services for Users (S4U) and is compromised of two parts:

  • S4U2Self

  • S4U2Proxy

S4U2Self allows a service to obtain a service ticket to itself on behalf of a client and is usually used with a client certificate. S4U2Self is the Kerberos Protocol Transition extension.

S4U2Proxy allows a service to obtain a service ticket to an arbitrary service on behalf of a user with only the user's service ticket. The services are constrained by the administrator. S4U2Proxy is the Kerberos Constrained Delegation (KCD) extension.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.