Kerberos overview

This overview describes the components, flow and version requirements for integrating Kerberos based Windows applications and Access Gateway. For more information about Windows Kerberos architectures see Kerberos application reference architecture.

Topics:

Architecture

Kerberos Architecture

Flow

  1. User signs in.
  2. Okta send user identity to Access Gateway.
  3. Access Gateway accesses the predefined KDC with credentials.
  4. KDC returns a Kerberos ticket.
  5. Access Gateway redirects to backing application.
  6. Application returns completed request.
  7. Access Gateway performs rewrites and returns request to user.

Components and requirements

Component Description and requirements
Okta Access Gateway All versions of Okta Access Gateway support Kerberos.
Microsoft IIS IWA or OWA IWA

Supported versions:

  • Microsoft IIS IWA -iIS 7 or later
  • Microsoft OWA IWA - IIS 7 or later

Dynamic Name Services

Access Gateway configured to use Windows DNS. See Add Access Gateway to Windows DNS for more information.

Windows Access Gateway service account

Account in the Windows domain to be used by the Kerberos service.
See Create Windows Access Gateway service account for details of creating an appropriate service account.

Keytab

A keytab, used when configuring an Access Gateway Kerberos service. See Create keytab for details of creating a keytab.

Okta Access Gateway Kerberos Kerberos service instance configured.
See Add Kerberos service for details of defining a Access Gateway kerberos service.
External URL External URL specified by the Public Domain field within Access Gateway.
For example: https://iis.idaasgateway.net