Configuring constrained Kerberos delegation in DataPower firmware Release 6.0.0
DataPower firmware release 6.0.0 adds support for constrained Kerberos delegation. This document clarifies how to configure a Kerberos principal within Active Directory on Microsoft Windows Server 2008 for use with the constrained delegation support on DataPower.
Note that DataPower release 6.0.0 does not support traditional unconstrained Kerberos delegation where the principal is allowed to delegate to all services in the realm. It only supports constrained Kerberos delegation where the principal is only allowed to delegate to a specific list of services in the realm.
Resolving the problem
Use the setspn.exe utility on the Windows user that will be the Kerberos proxy principal. See the “Create a client SPN” section in the developerWorks article Configuring a WebSphere DataPower Kerberos-secured backend server for detailed steps.
- Define the constrained delegation properties for the Kerberos proxy principal in Active Directory on your Windows server. Use the following procedure on Windows Server 2008:
- Select Start > All Programs > Administrative Tools > Active Directory Administration Center.
- In the navigation tree on the left panel, expand the domain container and select Users to display the Users panel.
- From the users' name list, double-click the user account for which you want to enable constrained delegation.
- In the Delegation section, click Trust this user for delegation to specified services only and Use any authentication protocol.
- Use the Add... button to add each service (Kerberos server principal) that the user should be able to delegate to.
- Click OK to save the constrained delegation configuration.
- Use the ktpass.exe utility to extract the Kerberos proxy principal's keytab. See the "Create the client keytab file" section in the deverloperWorks article Configuring a WebSphere DataPower Kerberos-secured backend server for detailed steps.
- Define the Kerberos configuration on the DataPower appliance by creating a Kerberos KDC Server object as well as a Kerberos Keytab object for the proxy principal's keytab file. See the "Configuring access to a Kerberos KDC server" and "Configuring a Kerberos keytab file" topics in the DataPower Information Center for more information.
- Define the following properties in the AAA policy configuration on the DataPower appliance:
- Select Kerberos AP-REQ from WS-Security header or Kerberos AP-REQ from SPNEGO under the Identity extraction settings.
- Select Validate Kerberos AP-REQ for server principal as the Method in the Authentication settings.
- Set the Kerberos proxy principal name and the Kerberos proxy's Keytab object in the Authentication settings.
- Enable one of the Include a WS-Security Kerberos AP-REQ token or Generate Kerberos SPNEGO Token toggles in the Postprocessing settings.
- Enable the Use constrained delegation when generating Kerberos AP-REQ or SPNEGO tokens in this step toggle in the Postprocessing settings.
- Enter the Kerberos server principal in the Postprocessing settings.
See the "Authentication" and "Postprocessing" topics in the
DataPower Information Center for more information.