Web Agent Configuration for Kerberos Authentication

Configure a Web Agent on a Windows or UNIX web server to support Kerberos authentication.
Configure a Web Agent on a Windows or UNIX web server to support Kerberos authentication.
The illustration shows an overview of the configuration.
Web Agent Configuration for Kerberos
Web Agent Configuration for Kerberos
Follows these general steps:
  1. Install a Web Agent.
  2. Register a trusted host with the Policy Server.
  3. Configure the Web Agent.
Refer to instructions for installing and configuring a Web Agent.
If the web server where you install the Agent is on a Windows system and the KDC is deployed on UNIX, enable the Windows host to communicate to a UNIX KDC and realm.
Kerberos Constrained Delegation
Kerberos constrained delegation restricts the services to which the specified server can act on behalf of the requester.
Enable Kerberos Constrained Delegation
Using Kerberos Delegation Constraints, you can set the behavior so that access is restricted only to the resources related to specific smps service. To restrict web agent to access smps service on behalf of the user, enable constrained delegation at web agent service account for smps service only.
Do the following to enable Constrained Delegation
  1. Open “Active Directory Users and Computers” in the Windows Active Directory Domain.
  2. Open web agent service account and click on Delegation tab.
  3. Select “Trust this user for delegation to specified services only”, in turn select “Use Kerberos only”.
  4. Click “Add”
  5. Click on “Users or Computers”
  6. Enter smps service account name and add it.
  1. The Constrained Delegation is enabled.
Linux KDC:
To enable constrained delegation to the web agent service account to be able to present delegated credentials only to Policy Server, append the following to /usr/krb5/kadm5.acl:
dn: krbprincipalname=HTTP/[email protected],cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com
changetype: modify
krbAllowedToDelegateTo: smps/[email protected]