Kerberos Constrained Delegation (KCD) support for certificate authentication

Mobile Enterprise Gateway (MEG) supports Kerberos Constrained Delegation (KCD) for intranet sites that require user credentials.

For Mobile Enterprise Gateway (MEG) 2.90 and earlier, Mobile Enterprise Gateway (MEG) uses Kerberos authentication with user name and password credentials to retrieve Kerberos tokens. If a user does not use a user name and password, Mobile Enterprise Gateway (MEG) cannot retrieve a Kerberos token from the user certificate.

With the Mobile Enterprise Gateway (MEG) 2.91 release, the Mobile Enterprise Gateway (MEG) Kerberos authentication provider now uses dedicated domain accounts or Kerberos Constrained Delegation (KCD) to impersonate a user during Kerberos authentication so that the user does not have to reenter their credentials to access a site during certificate authentication.

For Kerberos Constrained Delegation (KCD), the Administrator must set up delegation rights in their Kerberos environment for accounts that are delegated. When a user authenticates with Mobile Enterprise Gateway (MEG) by using the certificate, Mobile Enterprise Gateway (MEG) is configured with the delegated account that receives the service tickets in bulk from the Kerberos server. Mobile Enterprise Gateway (MEG) sends these tickets to authenticated users and allows those users to access resources (delegating authentication) without having to provide their credentials.

Note:

Only the user that is authenticated to Mobile Enterprise Gateway (MEG) with an Identity Certificate is impersonated. A user that is authenticated to Mobile Enterprise Gateway (MEG) with user name and password credentials still uses the current Kerberos authentication mechanism.
If the Identity Certificate that is used for Mobile Enterprise Gateway (MEG) authentication is a third-party PKI (not MaaS360 Certificate), the Administrator must enable the User Info Validation Against Corporate Directory setting in the Cloud Extender® Configuration Tool.
Mobile agents must support the Mobile Enterprise Gateway (MEG) certificate authentication at a minimum.
If a Service Account is used for Kerberos impersonations, this account must be configured with corresponding delegation rights.
For the Mobile Enterprise Gateway (MEG) 2.91 release, Kerberos Constrained Delegation (KCD) supports only one KCD delegated account and can be used in only one domain/forest. All HTTP resources are accessed through this impersonation account.
If the Delegate Account credentials are entered incorrectly, Mobile Enterprise Gateway (MEG) displays a 401 Unauthorized status page and shows an error message in the log file. The Delegate Account Username setting must not be able to impersonate accounts that are marked Sensitive in Active Directory.
Make sure that the krb5.conf file in the \ProgramData\Cloud Extender\AR\DATA directory contains the following setting: forwardable=true

Enabling Kerberos Constrained Delegation (KCD)

From the Cloud Extender Configuration Tool, go to the Enterprise Gateway section. The Kerberos Constrained Delegation setting is displayed.
Select the Enable KCD authentication check box.
- If Mobile Enterprise Gateway (MEG) is configured to use Active Directory authentication:
  1. Select the Use Service Account check box, which automatically populates the Delegate Account Username and Delegate Account Password fields. These values are the same values that are configured for the Service Account during the Cloud Extender setup. You cannot edit these values.
  2. Click Next. The Cloud Extender Configuration Tool validates the credentials that are entered for the account. When the user accesses a Kerberos site, the Kerberos ticket is obtained by the configured KCD Service Account on behalf of the user.
- If Mobile Enterprise Gateway (MEG) is configured to use LDAP Authentication:
  - The Delegate Account Username and Delegate Account Password fields are enabled and editable. Click Next. The Cloud Extender Configuration Tool validates the credentials that are entered for the account. When the user accesses a Kerberos site, the Kerberos ticket is obtained by the configured KCD Service Account on behalf of the user.