Kerberos overview

This overview describes the components, flow, and version requirements for integrating Kerberos-based Windows applications and Access Gateway. For more information about Windows Kerberos architectures, see Kerberos application reference architecture.

Architecture

Kerberos Architecture

Flow

  1. The user signs in.
  2. Okta sends the user's identity to Access Gateway.
  3. Access Gateway accesses the predefined Key Distribution Center (KDC) with credentials.
  4. KDC returns a Kerberos ticket.
  5. Access Gateway redirects to a backing application.
  6. The application returns a completed request.
  7. Access Gateway performs rewrites and returns the request to the user.

Components and requirements

Component Description and requirements
Access Gateway All versions of Access Gateway support Kerberos.
Microsoft IIS IWA or OWA IWA

Supported versions:

  • Microsoft IIS IWA: IIS 7 or later
  • Microsoft OWA IWA: IIS 7 or later

Dynamic Name Services

Configure Access Gateway to use Windows DNS. See Add Access Gateway to Windows DNS.

Windows Access Gateway service account

The account in the Windows domain that the Kerberos service uses. See Create Windows Access Gateway service account.

Keytab

A keytab is used when configuring an Access Gateway Kerberos service. See Create keytab.

Okta Access Gateway Kerberos Configure the Kerberos service instance. See Add Kerberos service.
External URL The external URL shown in the Access Gateway Public Domain field.