Final configuration steps that tie it all together.
Figure 1. Kerberos Authentication Flow: UA to Web Server to GAS to DVM to DB
At this point, most of the configuration is complete. There is nothing really new to add here, except the notion of Kerberos Delegation. Kerberos Delegation is when a service uses the user Kerberos ticket to ask for a Kerberos Authentication on another service in the name of the user. It's a kind of multi-hop Kerberos Authentication that permits the forwarding of the user credential from service to service.
- Validate the configuration of the Web Server to use Kerberos Authentication on a whole site or on a specific URL using GAS dispatchers. For IIS server, see IIS Configuration.
- Validate the configuration of Web Browsers to use Kerberos Authentication:
- for Internet Explorer, see Internet Explorer Configuration
- for Firefox, see Firefox Configuration
- Validate the configuration of the GAS to use Kerberos Authentication.
- Remove all unnecessary SPNs (if any).
- Add SPN gassvc/gasserver.intranet.corporate.com to the account that runs the GAS.
- Configure Unconstrained Delegation [Windows™ Only]
- See Unconstrained
Delegation ConfigurationNote: Unconstrained Delegation is compatible with Windows 2000 and all Windows 2003 Active Directory servers, as opposed to Constrained Delegation.
- See Unconstrained
Delegation Configuration
- Launch application by the URL. Everything should work. http://webserver.intranet.corporate.com/gas/wa/r/application