Kerberos-Enabled Cross-Realm Authentication with On-Premises Microsoft Active Directory
reference-architecture
Diagram
Description
This reference architecture presents Kerberos-enabled authentication cross-realms with on-premises Microsoft Active Directory.
This is a high-level view. In practice, the Kerberos protocol is composed of multiple sub-protocols, multiple versions, and multiple options. The Bibliography section provides links to detailed references on the topic.
Components
Component | Description |
|---|---|
Service Principal Name (SPN) | Arbitrary strings that enable clients and servers to uniquely identify a service in the AD Domain. References: Service Principal Names - Win32 apps | Microsoft Docs |
Options
Option | Description |
|---|---|
Mutual Authentication | An option where both the client and the service are authenticated. |
Selective Authentication | By default, the implementation of Kerberos in MS AD does is limited to authentication, i.e. it does not comprise authorization to authenticate. This may be modified with selective authentication to authorize the authentication on a service. When selective authentication is enabled, the allowed to authenticate permission must be granted on the target service. |
Cross-Forest | This configuration may be extended across distinct forests. |
Identity and Access Governance
Theme | Situation | Possible Approaches |
|---|---|---|
Authentication | With this setup, the service AD Domain assumes that the client AD Domain may be trusted to authenticate the client. |
|
Bibliography
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.
