Home General Discussion

Authentication with Kerberos instead of NTLM

David_HicksDavid_Hicks Customer IT Monkey ✭

When we create an SPN for http/oursite.com for the pid the site runs as, it breaks internal SSO. Is it possible to use Kerberos Constrained Delegation(KCD) to manage SSO?

SSO otherwise works fine, but our company is trying to implement Azure App proxy, so that's how we've run in to this.

Thank you for any insight.

Answers

  • George_KouskouridasGeorge_Kouskouridas Customer IT Monkey ✭

    Same problem here. Following. Did you find any solution?

  • David_HicksDavid_Hicks Customer IT Monkey ✭

    Not yet - we're still working through it. I'll post results.😀

  • Justin_WorkmanJustin_Workman Cireson Support Super IT Monkey ✭✭✭✭✭

    @David_Hicks - I think most of this is over my head since I don't have Azure but does this article help at all?

    https://gotoguy.blog/2015/03/26/publish-the-cireson-self-service-portal-with-azure-ad-application-proxy/

  • Jaggunaidu_VandJaggunaidu_Vand Customer IT Monkey ✭

    Yeah, this works when the app is deployed on a single Web Application server. But our case is we have the app running on multiple web application servers behind a bigIP pool. if only one server is enabled in the pool SSO works internally, but when there is more than one server is enabled in the pool, it breaks the SSO internally.

    Any ideas?

  • David_HicksDavid_Hicks Customer IT Monkey ✭

    As Jaggu points out, we have the additional complexity in that our portal is behind a load balancer. We're trying to understand the "second hop" of authentication (portal server to the ServiceManagement database).

    It was expected that either the pid (the ID we use to run the portal) or a machine account would be using delegation here, but that's not being observed. Perhaps the credentials are stored locally on the portal server, then passed to the database?

Sign In or Register to comment.