5.1 Kerberos

Please also note the FAQ, chapter "Upgrade AGW Version 3.0 to 3.1".

First, the AGW must join the AD (see Chapter 5).

After joining the AD, the AGW will be visible in the AD under ‘Computers’. Please do not move the AGW. Next, you must ensure that Kerberos is enabled for the AGW.

For Kerberos to work from the browser, the browsers must be configured accordingly (see Chapter 6).

Each of the variants below should then be tested for functionality. The following lines can then be found in the AGW log:

  • got a kerberos token from the client
  • Kerberos auth for user myuser@MYAGW.EXAMPLE.COM (myuser) successful domain MYAGW.EXAMPLE.COM
  • Session auth (http://auth.hin.ch/REST/v1/authSession) for myuser successful

Variant 1

This is the simplest option.

In the settings of the AGW AD object, activate Kerberos delegation for all services.

Option 2

This is the slightly more difficult option.

In the settings of the AGW AD object, activate Kerberos delegation only for specific services. To do this, the http service must be authorised for the AGW object.

Variant 3

This variant is only recommended for experienced AD administrators (and is therefore not explained in detail).

Kerberos delegation can be dispensed with, provided that it is ensured that the correct SPNs are available for the clients so that they can obtain a Kerberos ticket for the http service of the AGW.