Kerberos overview

This overview describes the components, flow and version requirements for integrating Kerberos based Windows applications and Access Gateway. For more information about Windows Kerberos architectures see Kerberos application reference architecture.

Topics:

• Architecture
• Flow
• Components and requirements

Architecture

Flow

1. User signs in.
2. Okta sends user identity to Access Gateway.
3. Access Gateway accesses the predefined KDC with credentials.
4. KDC returns a Kerberos ticket.
5. Access Gateway redirects to a backing application.
6. Application returns completed request.
7. Access Gateway performs rewrites and returns request to user.

Components and requirements

Component	Description and requirements
Okta Access Gateway	All versions of Okta Access Gateway support Kerberos.
Microsoft IIS IWA or OWA IWA	Supported versions: Microsoft IIS IWA: IIS 7 or later Microsoft OWA IWA: IIS 7 or later
Dynamic Name Services	Access Gateway configured to use Windows DNS. See Add Access Gateway to Windows DNS for more information.
Windows Access Gateway service account	Account in the Windows domain to be used by the Kerberos service. See Create Windows Access Gateway service account for details of creating an appropriate service account.
Keytab	A keytab, used when configuring an Access Gateway Kerberos service. See Create keytab for details of creating a keytab.
Okta Access Gateway Kerberos	Kerberos service instance configured. See Add Kerberos service for details of defining a Access Gateway kerberos service.
External URL	External URL specified by the Public Domain field> within Access Gateway. For example: https://iis.idaasgateway.net.