Add a Kerberos application
Use the Access Gateway Admin UI console to add a Kerberos application with Okta.
Architecture and flow
See Kerberos overview for details.
- Verify that Access Gateway is installed and configured. See Manage Access Gateway deployment.
- Verify that Access Gateway uses your Okta org as an Identity Provider (IdP). See Configure an Identity Provider in Access Gateway.
- Verify that you have administrator rights on your Okta org and can create groups and assign applications.
- You have a Windows server configured with IIS application and Active Directory Services running as a Domain Controller (DC) and implementing Kerberos (IWA) SSO. This is an example architecture, as it would be unusual in large production environments to have an application server (IIS) also be a DC.
- The Windows DNS server serves the Access Gateway DNS.
- You're using a supported release of Kerberos:
- Microsoft IIS IWA: IIS 7 or later
- Microsoft OWA IWA: IIS 7 or later
If you're hosting Access Gateway in a customer environment, you can make DNS changes using the command line management console. See Manage DNS Settings.
|Create a containing group||
Create an optional group for use with the application.
|Add Access Gateway to Windows DNS||
Windows is the DNS provider for Access Gateway. Add DNS entries for Access Gateway instances.
|Create Windows Access Gateway service account||
Create a service account. Access Gateway requires a set of known Windows credentials, which the instance uses to configure the Kerberos service.
Create a keytab file.
|Add Kerberos service||
Create and configure a Kerberos service.
|Configure Windows Server IIS for constrained delegation||
Kerberos requires that Window IIS is configured for constrained delegation
Create a Microsoft IIS IWA application.
|Test the application||
Test the application using header and policy simulation.
Troubleshoot the integration.