Add Kerberos application

The purpose of this tutorial is to step through the process of setting up a Kerberos application with Okta through theAccess Gateway Admin UI console.


Kerberos Architecture

  1. User signs in.
  2. Okta send user identity to Access Gateway.
  3. Access Gateway accesses the predefined KDC with credentials.
  4. KDC returns a Kerberos ticket.
  5. Access Gateway redirects to backing application.
  6. Application returns completed request.
  7. Access Gateway performs rewrites and returns request to user.
For details see: Kerberos overview

Before you begin

Ensure that:

  • Access Gateway is installed and configured for use.
    See Manage Access Gateway deployment.
  • Access Gateway has been configured to use your Okta tenant as IDP.
    See Configure your Okta tenant as an Identity Provider for more information about configuring your Okta tenant as an IDP.
  • You have administrator rights on your Okta tenant and can assign applications to users and create groups.
  • Window server configured with IIS application and Active Directory Services running as a Domain Controller and implementing Kerberos (IWA) SSO.
    Note:this is an example architecture. It would be unusual in large production environments to have an application server (IIS), also be a DC.
  • Access Gateway DNS must be served by the Windows DNS server.
  • Confirm that the external app version is supported. Supported Kerberos app versions include:
    • Microsoft IIS IWA - IIS 7 or later
    • Microsoft OWA IWA - IIS 7 or later

If Access Gateway is hosted within a customer environment, DNS changes can be made by using the command line management console. For example, select Static Networking(option 1), and define the Windows DNS IP and any other required values.
See the Network section in Access Gateway Command Line Management Console Reference for complete details.

Typical workflow



Create a containing group
  • Best practice, create an optional group to be assigned to the application.
Add Access Gateway to Windows DNS
  • Windows must be the DNS provider for Access Gateway. During this task we add appropriate Windows DNS entries for Access Gateway instances.
Create Windows Access Gateway service account
  • Access Gateway requires a set of known Windows credentials, which will be used by the instance to configure the Kerberos service. During this task we create the required service account.
Create keytab
  • Access Gateway requires a keytab to create a Kerberos service. During this task you will create the keytab file and transfer it to a location accessible to Access Gateway.
Add Kerberos service
  • In order to interact with Windows using Kerberos, a Kerberos service is required. In this task, we will use the previously created credentials and keytab to configure a Kerberos service.
Configure Windows Server IIS for constrained delegation
  • Kerberos requires Window IIS be configured for constrained delegation. In this task we configure constrained delegation and validate the Kerberos service using a test user.
Create application
  • Create a Microsoft IIS IWA application,
Test the application
  • Test the application using header and policy simulation.
  • When required troubleshoot the integration.