Kerberos-Enabled Cross-Realm Authentication with On-Premises Microsoft Active Directory

reference-architecture

Diagram

Description

This reference architecture presents Kerberos-enabled authentication cross-realms with on-premises Microsoft Active Directory.

This is a high-level view. In practice, the Kerberos protocol is composed of multiple sub-protocols, multiple versions, and multiple options. The Bibliography section provides links to detailed references on the topic.

Components

Component

Description

Component

Description

Service Principal Name (SPN)

Arbitrary strings that enable clients and servers to uniquely identify a service in the AD Domain. <service class>/<host>[:<port>][/<service name>]

References: Service Principal Names - Win32 apps | Microsoft Docs

Options

Option

Description

Option

Description

Mutual Authentication

An option where both the client and the service are authenticated.

Selective Authentication

By default, the implementation of Kerberos in MS AD does is limited to authentication, i.e. it does not comprise authorization to authenticate. This may be modified with selective authentication to authorize the authentication on a service. When selective authentication is enabled, the allowed to authenticate permission must be granted on the target service.

Cross-Forest

This configuration may be extended across distinct forests.

Identity and Access Governance

Theme

Situation

Possible Approaches

Theme

Situation

Possible Approaches

Authentication

With this setup, the service AD Domain assumes that the client AD Domain may be trusted to authenticate the client.

 

Bibliography


Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.


This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.