Windows Authentication - Kerberos

Kerberos is an authentication protocol that uses cryptographic tickets to avoid transmitting plain text passwords. Client services obtain ticket-granting tickets from the Kerberos Key Distribution Center (KDC) and present those tickets as their network credentials to gain access to services.

With this configuration, a Windows machine on the associated domain can authenticate automatically to MSS to either launch sessions from the HACloud session server or to use Reflection Desktop sessions configured for centralized management.


Kerberos is supported in

  • Reflection Desktop (configured for centralized management)
  • Host Access for the Cloud (HACloud)
  • the Assigned Sessions List, which can launch Reflection Desktop, HACloud, and Reflection for the Web

Enabling Kerberos

  1. First, enable OAuth.

  2. Then, in the MSS Administrative Console, click Configure Settings - Authentication & Authorization > Windows Authentication - Kerberos.


To experience full Kerberos authentication, users must

  • access the client (HACloud or Reflection Desktop) from a Windows machine that is part of a Kerberos protected domain.

  • be logged into that machine with a user account that is part of the Kerberos Active Directory.

If these requirements are not met, the users will be prompted for credentials.

Kerberos Terminology

You may want to become familiar with these terms when configuring Kerberos.

Term Definition
Delegated Authentication When a user authenticates to a service, Kerberos supports a delegation mechanism that enables the service to act on behalf of the user when connecting to back-end hosts.
Fully Qualified Domain Name (FQDN) The FQDN consists of two parts: the hostname and the domain name. For example, an FQDN for a hypothetical mail server might be
Key Distribution Center (KDC) A server that provides authentication and ticket-granting services. In an Active Directory domain, the Windows domain controller acts as the KDC.
Keytab file The keytab file contains the Service Principal Name’s encryption keys used when communicating with the KDC.
Realm A realm is the domain over which a KDC has the authority to authenticate a user. The realm name is an upper-case version of the DNS domain. For example, MYCOMPANY.COM.
Service Principal Name (SPN) The Service Principal Name uniquely identifies a service instance. SPNs are used to associate a service instance with a domain logon account.

Configuration Steps

Follow the detailed steps to set up Windows Authentication - Kerberos.

Disabling Kerberos

When switching to another method of authentication, you must first disable OAuth.