Limitations, Requirements, Terminology

Before you begin to configure Windows Authentication - Kerberos, check these details.

Limitations

  • Current implementation is limited to the HACloud and Reflection Desktop clients

  • Sessions cannot be launched from a user’s Assigned Sessions list

Requirements

To experience full Kerberos authentication, users must

  • access the client (HACloud or Reflection Desktop) from a Windows machine that is part of a Kerberos protected domain.

  • be logged into that machine with a user account that is part of the Kerberos Active Directory.

If these requirements are not met, the users will be prompted for credentials.

Kerberos Terminology

You may want to become familiar with these terms when configuring Kerberos.

Term

Definition

Delegated Authentication

When a user authenticates to a service, Kerberos supports a delegation mechanism that enables the service to act on behalf of the user when connecting to back-end hosts.

Fully Qualified Domain Name (FQDN)

The FQDN consists of two parts: the hostname and the domain name. For example, an FQDN for a hypothetical mail server might be mymail.mycompany.com

Key Distribution Center (KDC)

A server that provides authentication and ticket-granting services. In an Active Directory domain, the Windows domain controller acts as the KDC.

Keytab file

The keytab file contains the Service Principal Name’s encryption keys used when communicating with the KDC.

Realm

A realm is the domain over which a KDC has the authority to authenticate a user. The realm name is an upper-case version of the DNS domain. For example, MYCOMPANY.COM.

Service Principal Name (SPN)

The Service Principal Name uniquely identifies a service instance. SPNs are used to associate a service instance with a domain logon account.

Related topics