Kerberos Protocol Implementation requirements - Windows

Document ID : KB000100585
Last Modified Date : 11/06/2018
Show Technical Document Details
Question:
We have installed CA SSO 12.52 SP1 CR2

We have Policy Servers in Windows VMs and SiteMinder Agent in Windows VMs ( the SM Agents that are going to implement Kerberos Authentication ).

Altough i have not seem nothing related with, i´d like to confirm three points:

1. Kerberos protocol implementation is inside CA SSO Binaries or is 
   delegated in Windows/Linux Box Kernel where the SM Agent or Policy 
   Server is installed? 

2. Is it necesary the Windows Domain where the Policy Server or 
   SiteMinder Agents are installed has a Windows Trust relation with 
   the Domain where the User Client Browser is running? 

3. I´d like to concrete if the SiteMinder Libraries does not use any 
   call to Windows APIs for implement the protocol again the KDC 88 
   port. I mean,for example: SiteMinder does: 

   - Open the connection to KDC Port. 
   - Encrypt the communication, build the request packed, send/retrieve a 
   analyze. 

   All this without use Kerberos APIs of Microsoft ?
Answer:
At first glance, 

1. Kerberos libraries are in Web Agent and Policy Server 
   libraries. That means that the Web Agent and the Policy Server do 
   the Kerberos call using these libraries. As such, the OS should be 
   configured for Kerberos with the configuration files and the 
   keytabs. 

2. Web Agents and Policy Servers doesn't need to be trusted to the 
   Windows Domain where the Active Directory KDC will be running. 

   But the PC should be in the Windows Domain where the Active 
   Directory KDC runs. 

3. SiteMinder uses MIT kerberos libraries and doesn't rely on Microsoft 
   APIs.