Add Kerberos application
The purpose of this tutorial is to step through the process of setting up a Kerberos application with Okta through theAccess Gateway Admin UI console.
Architecture
|
Flow
|
For details see: Kerberos overview |
Before you begin
Ensure that:
- Access Gateway is installed and configured for use.
See Manage Access Gateway deployment. - Access Gateway has been configured to use your Okta tenant as IDP.
See Configure your Okta tenant as an Identity Provider for more information about configuring your Okta tenant as an IDP. - You have administrator rights on your Okta tenant and can assign applications to users and create groups.
- Window server configured with IIS application and Active Directory Services running as a Domain Controller and implementing Kerberos (IWA) SSO.
Note:this is an example architecture. It would be unusual in large production environments to have an application server (IIS), also be a DC. - Access Gateway DNS must be served by the Windows DNS server.
- Confirm that the external app version is supported. Supported Kerberos app versions include:
- Microsoft IIS IWA -IIS 7 or later
- Microsoft OWA IWA - IIS 7 or later
If Access Gateway is hosted within a customer environment, DNS changes can be made by using the command line management console. For example, select Static Networking(option 1), and define the Windows DNS IP and any other required values.
See the Network section in Access Gateway Command Line Management Console Reference for complete details.
Typical workflow
Task |
Description |
---|---|
Create a containing group |
|
Add Access Gateway to Windows DNS |
|
Create Windows Access Gateway service account |
|
Create keytab |
|
Add Kerberos service |
|
Configure Windows Server IIS for constrained delegation |
|
Create application |
|
Test the application |
|
Troubleshoot |
|