How to Set Up Kerberos Constrained Delegation to use Single Sign-On (Password Manager) and Smartcard Authentication from Clients Not Joined to the Domain

How to Set Up Kerberos Constrained Delegation to use Single Sign-On (Password Manager) and Smartcard Authentication from Clients Not Joined to the Domain

book

Article ID: CTX134070

calendar_today

Updated On:

Description

When utilizing constrained delegation in combination with Smartcard authentication on client machines that are not in the same domain as the Kerberos environment, we need to setup Protocol Transition. This is for the transition between Smartcard and Kerberos for the ICA session. If this is not set, Single Sign-On (CPM) loses its authentication to the domain after the Kerberos ticket has expired within the ICA session.

Instructions

Complete the following steps to set up Kerberos Constrained Delegation to use Single Sign-On (Password Manager) and Smartcard Authentication from clients not joined to the domain.

  1. Open Active Directory Users and Computers console.
    User-added image

  1. Locate the XenApp servers which use the Kerberos delegations. Select the server, right-click and select Properties.
    User-added image

  1. In Properties, click the Delegation tab.
    User-added image

  1. In the Delegation tab, select the Trust this computer for delegation to specified services only option. Select Use any authentication protocol option.
    Note: This Use any authentication protocol option enables Protocol Transition and therefore is the most important setting.
    User-added image

  1. Add the following services for the Domain Controller and the XenApp servers in the farm and click OK to save the settings.
    User-added image
    Add each domain controller and select the services: CIFS, LDAP, ProtectedStorage
    Add each XenApp server and select the service: HOST

  1. Locate the server that must be the Web Interface and open the Delegation Properties same as Step 1 – 3.
    On the Delegation Properties select first 2 options similar to what was selected for the XenApp services. Then add the following service, click OK to save the settings.
    Add each Web Interface server and select the service: HTTP

Important! These settings must be set up correctly. If not set correctly, the authentication from non-domain joined machines or machines that are attached to a different domain will have problems. Also, if the option for Kerberos Only is selected, the data store synchronization may have LDAP errors and problems may occur accessing the data store after the Kerberos ticket expires. Without protocol transition it is not possible to maintain the authentication in the session when the user is using a machine that is not in the same domain where the XenApp farm is located.

Issue/Introduction

This article contains instructions to setup Kerberos Constrained Delegation to use Single Sign On (Password Manager) and Smartcard Authentication from clients not joined to the domain.

Additional Information

Using Protocol Transition—Tips from the Trenches
How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0
Smart Card Single Sign-on using Kerberos Constrained Delegation

Powered by Wolken Software