Complete Configuration

Final configuration steps that tie it all together.


Kerberos complete configuration diagram

Figure 1. Kerberos Authentication Flow: UA to Web Server to GAS to DVM to DB

At this point, most of the configuration is complete. There is nothing really new to add here, except the notion of Kerberos Delegation. Kerberos Delegation is when a service uses the user Kerberos ticket to ask for a Kerberos Authentication on another service in the name of the user. It's a kind of multi-hop Kerberos Authentication that permits the forwarding of the user credential from service to service.

  1. Validate the configuration of the Web Server to use Kerberos Authentication on a whole site or on a specific URL using GAS dispatchers. For IIS server, see IIS Configuration.
  2. Validate the configuration of Web Browsers to use Kerberos Authentication:
  3. Validate the configuration of the GAS to use Kerberos Authentication.
  4. Remove all unnecessary SPNs (if any).
  5. Add SPN gassvc/gasserver.intranet.corporate.com to the account that runs the GAS.
  6. Configure Unconstrained Delegation [Windows™ Only]
    • See Unconstrained Delegation Configuration
      Note: Unconstrained Delegation is compatible with Windows 2000 and all Windows 2003 Active Directory servers, as opposed to Constrained Delegation.
  7. Launch application by the URL. Everything should work. http://webserver.intranet.corporate.com/gas/wa/r/application