Kerberos reference architecture

This reference architecture describes the components, flow and version requirements for integrating Kerberos based Windows applications and Access Gateway .

Topics:

Architecture
Flow
Components and requirements

Architecture

Kerberos Architecture

Flow

User signs in.
Okta send user identity to Access Gateway.
Access Gateway accesses the predefined KDC with credentials.
KDC returns a Kerberos ticket.
Access Gateway redirects to backing application.
Application returns completed request.
Access Gateway performs rewrites and returns request to user.

Components and requirements

Component	Description and requirements
Okta Access Gateway	All versions of Okta Access Gateway support Kerberos.
Microsoft IIS IWA or OWA IWA	Supported versions: Microsoft IIS IWA -iIS 7 or later Microsoft OWA IWA - IIS 7 or later
Dynamic Name Services	Access Gateway configured to use Windows DNS. SeeAdd Access Gateway to Windows DNS for more information.
Windows Access Gateway service account	Account in the Windows domain to be used by the Kerberos service. See Create Windows Access Gateway service account for details of creating an appropriate service account.
Keytab	A keytab, used when configuring an Access Gateway Kerberos service. See Create keytab for details of creating a keytab.
Okta Access Gateway Kerberos	Kerberos service instance configured. See Add Kerberos service for details of defining a Access Gateway kerberos service.
External URL	External URL specified by the Public Domain field within Access Gateway. For example: https://iis.idaasgateway.net

Top

© 2021 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.