The Layer 7 Gateway supports the use of multiple types of Microsoft-specific authentication methods via Active Directory. Specifically, the Gateway is able to accept and process Kerberos tickets for authentication. A account in an Active Directory can be authorized for many types of delegated authority. The Gateway supports authenticating accounts that are authorized for "Use Kerberos Only." An example Active Directory configuration is displayed below.
If a request attempts to authenticate against an account in the Active Directory where Kerberos only is selected then authentication may fail if the correct authentication method is not selected in the active published service policy via the Layer 7 Policy Manager. An error will occur if the Gateway attempts to authenticate a Kerberos-only user with non-Kerberos-based authentication.
The following error message may appear when attempting to authenticate a Kerberos-only account with the incorrect assertion: Routing with Kerberos ticket failed with: Credentials for delegation not found.?
In order to avoid this error, the impacted service policy should use the?Retrieve Kerberos Authentication Credentials?assertion. This assertion?should be configured with the following values:
Configuring the service policy and applicable assertion in this manner will allow the Gateway to authenticate to an account in an Active Directory that is enabled for only Kerberos-based authentication.
- Realm: SUBDOMAIN.DOMAIN.COM
- Target SPN: http/server.subdomain.domain.com
- Gateway credentials:?Use Gateway Keytab