Configuring Kerberos constrained delegation with IAG SP2

Updated: February 10, 2010

Applies To: Intelligent Application Gateway (IAG)

One of the technologies used by Whale Communications Intelligent Application Gateway (IAG) 2007 in order to accomplish single sign-on functionality is Kerberos constrained delegation.

This setting enables users to access both the IAG site and the applications that are enabled through it by using client-certificate authentication, such as smart-card authentication, Active Directory Federation Services, or one-time passwords. When this feature is enabled, users authenticate to the site only once. They are not required to supply their credentials in order to log on to applications that require users' authentication.

For more information about Kerberos constrained delegation technology, see Kerberos Protocol Transition and Constrained Delegation (

To use Kerberos constrained delegation for application single sign-on, complete the following steps:

  1. Set domain to the Windows Server 2003 functional level, as described in How to raise domain and forest functional levels in Windows Server 2003 (

  2. If you want to allow end users to authenticate by using client certificates, see Configuring LDAP client certificate authentication in IAG.

    When you reach step 7, open the following file:


    Make the following modification:

    KCDAuthentication_on = true

  3. Perform the procedure described in Configuring Kerberos constrained delegation on the Web Settings tab of the application.

  4. Perform the procedure described in Configuring Active Directory computer accounts for Kerberos constrained delegation.

  5. Make sure that the application servers are configured for Kerberos authentication. See the following examples for application-server configuration to support Kerberos protocol:

The following are the requirements for Kerberos constrained delegation:

  • The IAG server must be part of a domain.

  • You must define at least one authentication server for the trunk to which the application belongs.

  • All domain controllers in the internal network need to be computers running Windows Server 2003.

  • Users must be part of the same Active Directory forest as the IAG server and the application servers.

  • IAG and application servers must be part of the same domain.

You can only configure Kerberos constrained delegation on an existing application via the Web Settings tab. If you are adding a new application to the trunk by using the Add Application Wizard, on the Authentication page, click Next in order to skip this step. When you complete the wizard, perform the following procedure.

To complete this procedure, you need to know the service principal name of the application. A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. For more information on SPNs, see Service Principal Names (

Each instance of a service that uses Kerberos authentication needs to have an SPN defined for it so that clients can identify that instance of the service on the network.

To configure Kerberos constrained delegation on the Web Settings tab of the application

  1. On the IAG Configuration console, in the Applications group box, click the application, and then click Edit.

  2. On the Application Properties page, click the Web Settings tab.

  3. On the Web Settings tab, do the following:

    1. Select Automatically Reply to Application-Specific Authentication Requests.

    2. Click Use Kerberos constrained delegation.

    3. In the Application service principal name text box, type the SPN, and then click OK.

      You can set the SPN explicitly, or you can use the wildcard * (for example, owa/*).

      You must use the SPN explicitly if the SPN of this application was not defined in the default format SPNs (service name/hostname) in the application server. This might happen when an application is published as part of a load-balanced Web farm and runs with an application account identity and not with a computer account identity.

      If you choose to use a wildcard, the addresses for all the servers of this application (defined on the Web Servers tab) cannot be IP addresses and must be host names. The wildcard is translated to each of the host names defined on the Web Servers tab. If the SPN of the application in the application server is defined as a fully qualified domain name (FQDN), then IAG translates it two SPNs: hostname and FQDN (for example, owa and If the application's SPN in the application server is defined as a hostname, then IAG translates it two SPNs: a hostname and an FQDN with the IAG Domain Name System domain.

To use Kerberos constrained delegation, you need to configure Active Directory Domain Services.

The SPN of the application that you defined in the above procedure needs to be registered in Active Directory Domain Services. Registering an SPN in Active Directory Domain Services maps the SPN to the Windows account under which the service specified in the SPN is running. Instances of some services can automatically register their SPNs at startup.

Only an Active Directory domain administrator can register SPNs in Active Directory Domain Services.

To register the SPNs, you need to create a file containing a list of SPNs. This file is specific for each IAG configuration file. The SPNs in this file represent the applications on which IAG enables Kerberos constrained delegation.

You can create this file as a simple text file, from where the Active Directory domain administrator needs to manually copy the information to Active Directory Domain Services, or you can create this file as a Lightweight Directory Access Protocol Data Interchange Format (LDIF) file that the Active Directory domain administrator can import into Active Directory Domain Services by using the standard Windows utility ldifde. For more information, see Delegating authentication ( in Windows Server TechCenter.

If you use an LDIF file in order to configure delegation in Active Directory Domain Services, the LDIF file replaces the existing delegation information in Active Directory Domain Services with the information in the file, thus deleting any delegation settings that were configured manually. If any settings that were configured manually need to be preserved, when you transfer the LDIF file to the Active Directory domain administrator, inform them that they should note the existing settings before they import the LDIF file, and then manually re-apply the settings that were deleted.

To configure Active Directory Domain Services for Kerberos constrained delegation

  1. On the IAG Configuration console, on the menu, click Admin, and then click Export to Active Directory.

  2. On the Export to Active Directory dialog box, click either Export to Text File or Export to LDIF File.

  3. Save the file, and then transfer it to the Active Directory domain administrator.

    It is recommended that the LDIF file is used soon after it is created in order to ensure consistency in Active Directory Domain Services settings.