Single sign-on using Kerberos constrained delegation

You can set up constrained delegation by allowing WebSEAL to request a Windows Kerberos ticket on behalf of the client from the key distribution centre (KDC). The ticket can then be used by WebSEAL to impersonate the client to authenticate with the junctioned Web server.

Two extensions are involved in this process: Service-for-User-to-Self (S4U2Self) and Service-for-User-to-Proxy (S4U2Proxy). S4U2Self allows a service to acquire a ticket from the KDC on behalf of a client. S4U2Proxy allows a service to use the ticket obtained through S4U2Self to acquire another ticket to an external service.

The diagram above shows a sample deployment of single sign-on using Kerberos constrained delegation.

  1. Client uses the standard Security Access Manager authentication process to authenticate to WebSEAL over HTTPS or HTTP and requests an object on the junctioned server. WebSEAL authorizes the request from the client, and determines that a Kerberos ticket is needed to access the junctioned application.
  2. WebSEAL requests a Windows Kerberos ticket on behalf of the client from the key distribution centre (KDC).
  3. KDC issues the Kerberos ticket to WebSEAL.
  4. The WebSEAL server forwards the Kerberos ticket along with the client request to the junctioned Web server over either HTTP or HTTPS.
  5. The junctioned Web server requests validation of the Kerberos ticket from the KDC.
  6. The KDC verifies that the Kerberos ticket is valid.
  7. The junctioned Web server returns an HTTP response to WebSEAL.
  8. WebSEAL returns the HTTP response to the client.
To allow WebSEAL to perform Kerberos single sign-on for a junction, ensure that:

Kerberos tickets rely on embedded time stamps to decide the expiration of old tickets. For this reason, it is important to ensure that the clocks on all machines in the environment are synchronized.