Add a Kerberos app

Use the Access Gateway Admin UI console to add a Kerberos app with Okta.

Architecture and flow

See Kerberos overview for details.

Before you begin

  • Verify that Access Gateway is installed and configured. See Manage Access Gateway deployment.
  • Verify that Access Gateway uses your Okta org as an identity provider (IdP). See Configure an Identity Provider in Access Gateway.
  • Verify that you have administrator rights on your Okta org and can create groups and assign apps.
  • Ensure that you have a Windows server configured with the IIS app and Active Directory (AD) Services running as a Domain Controller (DC) and implementing Kerberos (IWA) single sign-on (SSO). This is an example architecture, as it would be unusual in large production environments to have an app server like IIS also be a DC.
  • Ensure that the Windows DNS server serves the Access Gateway DNS.
  • Ensure that you're using a supported version of Kerberos:
    • Microsoft IIS IWA: IIS 7 or later.
    • Microsoft OWA IWA: IIS 7 or later.

If you're hosting Access Gateway in a customer environment, you can make DNS changes using the Access Gateway Management console. See Manage DNS settings.

Typical workflow

Task Description
Create a containing group

Create an optional group for use with the app.

Add Access Gateway to Windows DNS

Windows is the DNS provider for Access Gateway. Add DNS entries for Access Gateway instances.
Create a Windows Access Gateway service account

Create a service account. Access Gateway requires a set of known Windows credentials, which the instance uses to configure the Kerberos service.
Create keytab

Create a keytab file.
Add Kerberos service

Create and configure a Kerberos service.
Configure Windows Server IIS for constrained delegation

Kerberos requires that Window IIS is configured for constrained delegation
Create the app

Create a Microsoft IIS IWA app.
Test the app

Test the app using header and policy simulation.
Troubleshoot the app

Troubleshoot the integration.