Add a Kerberos application

Use the Access Gateway Admin UI console to add a Kerberos application with Okta.

Architecture and flow

See Kerberos overview for details.

Before you begin

Ensure that:

  • Verify that Access Gateway is installed and configured. See Manage Access Gateway deployment.
  • Verify that Access Gateway uses your Okta org as an Identity Provider (IdP). See Configure an Identity Provider in Access Gateway.
  • Verify that you have administrator rights on your Okta org and can create groups and assign applications.
  • You have a Windows server configured with IIS application and Active Directory Services running as a Domain Controller (DC) and implementing Kerberos (IWA) SSO. This is an example architecture, as it would be unusual in large production environments to have an application server (IIS) also be a DC.
  • The Windows DNS server serves the Access Gateway DNS.
  • You're using a supported release of Kerberos:
    • Microsoft IIS IWA: IIS 7 or later
    • Microsoft OWA IWA: IIS 7 or later

If you're hosting Access Gateway in a customer environment, you can make DNS changes using the command line management console. See Manage DNS settings.

Typical workflow

Task Description
Create a containing group

Create an optional group for use with the application.

Add Access Gateway to Windows DNS

Windows is the DNS provider for Access Gateway. Add DNS entries for Access Gateway instances.

Create Windows Access Gateway service account

Create a service account. Access Gateway requires a set of known Windows credentials, which the instance uses to configure the Kerberos service.

Create keytab

Create a keytab file.

Add Kerberos service

Create and configure a Kerberos service.

Configure Windows Server IIS for constrained delegation

Kerberos requires that Window IIS is configured for constrained delegation

Create application

Create a Microsoft IIS IWA application.

Test the application

Test the application using header and policy simulation.


Troubleshoot the integration.