The settings on this tab enable you to authenticate to a Kerberos Service
by sending a Kerberos service ticket in the HTTP request to that service.
Note:
You can also configure the Enterprise Gateway to authenticate to a Kerberos Service
by including the relevant Kerberos tokens inside the XML message. For more
details, see the Kerberos Client
Authentication topic.
Kerberos Client:
The selected Kerberos Client has two roles. First, it must obtain a Kerberos
TGT (Ticket Granting Ticket). Second, it uses this TGT to obtain a service
ticket for the Kerberos Service Principal selected below.
Click the button on the right, and select a previously configured Kerberos
Client in the tree. To add a Kerberos Client, right-click the Kerberos
Clients tree node, and select Add Kerberos Client.
Alternatively, you can add Kerberos Clients under the External
Connections node in the Policy Studio tree view. For more details,
see the Kerberos Clients topic.
Kerberos Service Principal:
The Kerberos Client selected above must obtain a ticket from the Kerberos
Ticket Granting Server (TGS) for the selected Kerberos Service Principal.
The Service Principal can be used to uniquely identify the Service in the
Kerberos realm. The TGS grants a ticket for the selected Principal, which
the client can then send to the Kerberos Service. The Principal in the
ticket must match the Kerberos Service's Principal for the client to be
successfully authenticated.
Click the button on the right, and select a previously configured Kerberos Principal
in the tree (for example, the default HTTP/host Service Principal ). To
add a Kerberos Principal, right-click the Kerberos Principals tree
node, and select Add Kerberos Principal. Alternatively, you can add
Kerberos Principals under the External Connections node in the
Policy Studio tree view. For more details, see the topic on
Kerberos Principals.
Send token with first request:
In some cases, the client may not authenticate (send the Authorization
HTTP header) to the Kerberos Service on its first request. The Kerberos Service should
then respond with an HTTP 401 response containing a WWW-Authenticate:
Negotiate HTTP header. This header value instructs the client to authenticate
to the server by sending up the Authorization header. The client then
sends up a second request, this time with the Authorization header,
which contains the relevant Kerberos token. Select this option to force the
Connection filter to always send the
Authorization HTTP header that contains the Kerberos Service ticket
on its first request to the Kerberos Service.
Send body only after establish context:
You can configure the Kerberos client to only send the message body after
the context has been fully established (the client has mutually
authenticated with the service).
Pass when service returns 200 even if context not established:
In some rare cases, a Kerberos Service may return a 200 OK
response to a Kerberos Client's initial request even though the security
context has not yet been fully established. This 200 OK
response may not contain the WWW-authenticate HTTP
header.
By selecting this option, you are instructing the Connection
filter to send the request to the Kerberos Service despite that the context
has not been established. It is the responsibility of the Kerberos Service
to decide whether to process the request depending on the status of the
security context.
|