Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
72-34
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Why a Microsoft Kerberos Constrained Delegation Solution
Note After you import the plug-in, remote users can choose ica and enter
host/?DesiredColor=4&DesiredHRes=1024&DesiredVRes=768 into the Address field of the
portal page to access Citrix services. We recommend that you add a bookmark to make it easy
for users to connect. Adding a bookmark is required if you want to provide SSO support for
Citrix sessions.
Step 6 Establish an SSL VPN clientless session and click the bookmark or enter the URL for the Citrix server.
Use the Client for Java Administrator’s Guide as needed.
Why a Microsoft Kerberos Constrained Delegation Solution
Many organizations want to authenticate their Clientless VPN users and extend their authentication
credentials seamlessly to web-based resources using authentication methods beyond what the ASA SSO
feature can offer today. With the growing demand to authenticate remote access users with Smart Cards
and One-time Passwords (OTP), the SSO feature falls short in meeting that demand, because it only
forwards conventional user credentials, such as static username and password, to clientless web-based
resources when authentication is required.
For example, neither certificate- or OTP-based authentication methods encompass a conventional
username and password necessary for the ASA to seamlessly perform SSO access to web-based
resources. When authenticating with a certificate, a username and password is not required for the ASA
to extend to web-based resources, making it an unsupported authentication method for SSO. On the other
hand, OTP does include a static username; however, the password is dynamic and will subsequently
change throughout the VPN session. In general, Web-based resources are configured to accept static
usernames and passwords, thus also making OTP an unsupported authentication method for SSO.
Microsoft's Kerberos Constrained Delegation (KCD), a new feature introduced in software release 8.4
of the ASA, provides access to Kerberos-protected Web applications in the private network. With this
benefit, you can seamlessly extend certificate- and OTP-based authentication methods to web
applications. Thus, with SSO and KCD working together although independently, many organizations
can now authenticate their clientless VPN users and extend their authentication credentials seamlessly
to web applications using all authentication methods supported by the ASA.
Requirements
In order for the kcd-server command to function, the ASA must establish a trust relationship between
the source domain (the domain where the ASA resides) and the target or resource domain (the domain
where the web services reside). The ASA, using its unique format, crosses the certification path from the
source to the destination domain and acquires the necessary tickets on behalf of the remote access user
to access the services.
This crossing of the certificate path is called cross-realm authentication. During each phase of
cross-realm authentication, the ASA relies on the credentials at a particular domain and the trust
relationship with the subsequent domain.