Skip to content

Windows Authentication - Kerberos

Kerberos is an authentication protocol that uses cryptographic tickets to avoid transmitting plain text passwords. Clients obtain ticket-granting tickets from the Kerberos Key Distribution Center (KDC) and present those tickets as their network credentials to gain access to services.

In Host Access for the Cloud, Kerberos allows end users to access their host sessions on the session server without being prompted for credentials.

Note

Kerberos authentication to AS/400 hosts is also supported, however that functionaltiy is not yet integrated with Kerberos for authenticating end users accessing the session server.

You enable and configure Kerberos authentication in MSS then enable it on each session server in your deployment. Please review the Kerberos documentation in MSS to learn about requirements and for more information on configuring and using Kerberos.

Below are the high level steps involved in using Kerberos authentication in Host Access for the Cloud.

Steps to enable and configure Kerberos

  1. Enable and configure Kerberos in MSS
  2. Configure each HACloud session server for Kerberos
  3. Configure browser for Kerberos
  4. Launch sessions

Configure Kerberos on Session Server

To configure a session server to run Kerberos, edit service.yml and add the oauth profile:

  1. Open <install directory>/sessionserver/microservices/sessionserver/service.yml.

  2. Add oauth to the set of active profiles:

    - name: SPRING_PROFILES_ACTIVE
      value: tls, oauth
    
  3. Restart the session server.

Optionally, if configuring a high availability deployment with load balancers, the oauth profile (previous step) and the following properties must be configured in service.yml on each session server.

  1. Configure the URL of the MSS load balancer. The session server will redirect users to this URL for authentication.

    - name: AUTHSVC_HOST
      value: {HTTPS url of MSS load balancer}
    
  2. Configure the domain name of the session server load balancer. MSS will redirect back to this server after a user is authenticated.

    - name: PROXY_DOMAIN
      value: {FQDN of the session server load balancer}
    
  3. Configure the port that is used when accessing the session server via the session server load balancer.

    - name: PROXY_PORT
      value: {Port number on the session server load balancer}
    
  4. Restart the session server.

Example

    - name: SPRING_PROFILES_ACTIVE
      value: tls, oauth
    (If using load balancers...)
    - name: AUTHSVC_HOST
      value: https://mss-load-balancer.mydomain.com
    - name: PROXY_DOMAIN
      value: sessionserver-load-balancer.mydomain.com
    - name: PROXY_PORT
      value: 7443

Configure your browser for Kerberos

In order to sign in using Kerberos, your browser must be configured correctly for Windows Authentication via Kerberos and your machine must be a member of the proper domain (Kerberos realm). Please consult the help for your specific browser for instructions on how to enable Kerberos.

Launch sessions

Note

Kerberos authentication is not currently supported by the Assigned Sessions List. It is only available when entering through the session server.

HACloud sessions need no additional configuration to launch and authenticate using Kerberos, as long as you your browser has been configured correctly for Windows Authentication / Kerberos. Just navigate to https://session-server-lb.mydomain.com:7443 and you'll be automatically logged into the HACloud session server.