Authentication with Kerberos instead of NTLM
When we create an SPN for http/oursite.com for the pid the site runs as, it breaks internal SSO. Is it possible to use Kerberos Constrained Delegation(KCD) to manage SSO?
SSO otherwise works fine, but our company is trying to implement Azure App proxy, so that's how we've run in to this.
Thank you for any insight.
Answers
Same problem here. Following. Did you find any solution?
Not yet - we're still working through it. I'll post results.😀
@David_Hicks - I think most of this is over my head since I don't have Azure but does this article help at all?
https://gotoguy.blog/2015/03/26/publish-the-cireson-self-service-portal-with-azure-ad-application-proxy/
Yeah, this works when the app is deployed on a single Web Application server. But our case is we have the app running on multiple web application servers behind a bigIP pool. if only one server is enabled in the pool SSO works internally, but when there is more than one server is enabled in the pool, it breaks the SSO internally.
Any ideas?
As Jaggu points out, we have the additional complexity in that our portal is behind a load balancer. We're trying to understand the "second hop" of authentication (portal server to the ServiceManagement database).
It was expected that either the pid (the ID we use to run the portal) or a machine account would be using delegation here, but that's not being observed. Perhaps the credentials are stored locally on the portal server, then passed to the database?