Add a Kerberos app
Use the Access Gateway Admin UI console to add a Kerberos app with Okta.
Architecture and flow
See Kerberos overview for details.
Before you begin
- Verify that Access Gateway is installed and configured. See Manage Access Gateway deployment.
- Verify that Access Gateway uses your Okta org as an identity provider (IdP). See Configure an Identity Provider in Access Gateway.
- Verify that you have administrator rights on your Okta org and can create groups and assign apps.
- Ensure that you have a Windows server configured with the IIS app and Active Directory (AD) Services running as a Domain Controller (DC) and implementing Kerberos (IWA) single sign-on (SSO). This is an example architecture, as it would be unusual in large production environments to have an app server like IIS also be a DC.
- Ensure that the Windows DNS server serves the Access Gateway DNS.
- Ensure that you're using a supported version of Kerberos:
- Microsoft IIS IWA: IIS 7 or later.
- Microsoft OWA IWA: IIS 7 or later.
If you're hosting Access Gateway in a customer environment, you can make DNS changes using the Access Gateway Management console. See Manage DNS settings.
Typical workflow
Task | Description |
---|---|
Create a containing group |
Create an optional group for use with the app. |
Add Access Gateway to Windows DNS |
Windows is the DNS provider for Access Gateway. Add DNS entries for Access Gateway instances. |
Create a Windows Access Gateway service account |
Create a service account. Access Gateway requires a set of known Windows credentials, which the instance uses to configure the Kerberos service. |
Create keytab |
Create a keytab file. |
Add Kerberos service |
Create and configure a Kerberos service. |
Configure Windows Server IIS for constrained delegation |
Kerberos requires that Window IIS is configured for constrained delegation |
Create the app |
Create a Microsoft IIS IWA app. |
Test the app |
Test the app using header and policy simulation. |
Troubleshoot the app |
Troubleshoot the integration. |