Windows Authentication - Kerberos
Kerberos is an authentication protocol that uses cryptographic tickets to avoid transmitting plain text passwords. Client services obtain ticket-granting tickets from the Kerberos Key Distribution Center (KDC) and present those tickets as their network credentials to gain access to services.
In this configuration, a Windows machine on the associated domain can authenticate automatically to MSS to either launch sessions from the HACloud session server or to use Reflection Desktop sessions configured for centralized management.
Enabling/Disabling Kerberos
Enabling Windows Authentication-Kerberos requires a few configuration steps outside of the Administrative Console.
Before you begin to configure Windows Authentication - Kerberos, check these details.
Limitations
- Current implementation is limited to the HACloud and Reflection Desktop clients
Requirements
To experience full Kerberos authentication, users must
-
access the client (HACloud or Reflection Desktop) from a Windows machine that is part of a Kerberos protected domain.
-
be logged into that machine with a user account that is part of the Kerberos Active Directory.
If these requirements are not met, the users will be prompted for credentials.
Kerberos Terminology
You may want to become familiar with these terms when configuring Kerberos.
Term | Definition |
---|---|
Delegated Authentication | When a user authenticates to a service, Kerberos supports a delegation mechanism that enables the service to act on behalf of the user when connecting to back-end hosts. |
Fully Qualified Domain Name (FQDN) | The FQDN consists of two parts: the hostname and the domain name. For example, an FQDN for a hypothetical mail server might be mymail.mycompany.com . |
Key Distribution Center (KDC) | A server that provides authentication and ticket-granting services. In an Active Directory domain, the Windows domain controller acts as the KDC. |
Keytab file | The keytab file contains the Service Principal Name’s encryption keys used when communicating with the KDC. |
Realm | A realm is the domain over which a KDC has the authority to authenticate a user. The realm name is an upper-case version of the DNS domain. For example, MYCOMPANY.COM . |
Service Principal Name (SPN) | The Service Principal Name uniquely identifies a service instance. SPNs are used to associate a service instance with a domain logon account. |
Configuration Steps
Follow the detailed steps in these sections to set up Windows Authentication - Kerberos.