Add Kerberos application

Use the Access Gateway Admin UI console to add a Kerberos application with Okta.

Architecture and flow

Kerberos Architecture

  1. User signs in.
  2. Okta sends user identity to Access Gateway.
  3. Access Gateway accesses the predefined KDC with credentials.
  4. KDC returns a Kerberos ticket.
  5. Access Gateway redirects to a backing application.
  6. Application returns completed request.
  7. Access Gateway performs rewrites and returns request to user.
See Kerberos overview

Before you begin

Ensure that:

  • Access Gateway is installed and configured. See Manage Access Gateway deployment.
  • Access Gateway uses your Okta tenant as an Identity Provider (IdP). See Configure your Okta tenant as an Identity Provider.
  • You have administrator rights on your Okta tenant and can create groups and assign applications.
  • You have a Windows server configured with IIS application and Active Directory Services running as a Domain Controller (DC) and implementing Kerberos (IWA) SSO. This is an example architecture, as it would be unusual in large production environments to have an application server (IIS) also be a DC.
  • The Windows DNS server serves the Access Gateway DNS.
  • You're using a supported release of Kerberos:
    • Microsoft IIS IWA: IIS 7 or later
    • Microsoft OWA IWA: IIS 7 or later

If you're hosting Access Gateway in a customer environment, you can make DNS changes using the command line management console. See Manage DNS Settings.

Typical workflow

Task Description
Create a containing group

Create an optional group for use with the application.

Add Access Gateway to Windows DNS

Windows is the DNS provider for Access Gateway. Add DNS entries for Access Gateway instances.

Create Windows Access Gateway service account

Create a service account. Access Gateway requires a set of known Windows credentials, which the instance uses to configure the Kerberos service.

Create keytab

Create a keytab file.

Add Kerberos service

Create and configure a Kerberos service.

Configure Windows Server IIS for constrained delegation

Kerberos requires that Window IIS is configured for constrained delegation

Create application

Create a Microsoft IIS IWA application.

Test the application

Test the application using header and policy simulation.


Troubleshoot the integration.