72-35
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Understanding How KCD Works
Understanding How KCD Works
Kerberos relies on a trusted third party to validate the digital identity of entities in a network. These
entities (such as users, host machines, and services running on hosts) are called principals and must be
present in the same domain. Instead of secret keys, Kerberos uses tickets to authenticate a client to a
server. The ticket is derived from the secret key and consists of the client’s identity, an encrypted session
key, and flags. Each ticket is issued by the key distribution center and has a set lifetime.
The Kerberos security system is a network authentication protocol used to authenticate entities (users,
computers, or applications) and protect network transmissions by scrambling the data so that only the
device that the information was intended for can decrypt it. You can configure KCD to provide Clientless
SSL VPN (also known as WebVPN) users with SSO access to any web services protected by Kerberos.
Examples of such web services or applications include Outlook Web Access (OWA), Sharepoint, and
Internet Information Server (IIS).
Two extensions to the Kerberos protocol were implemented: protocol transition and constrained
delegation. These extensions allow the Clientless or WebVPN remote access users to access Kerberos
authenticated applications in the private network.
The protocol transition provides you with increased flexibility and security by supporting different
authentication mechanisms at the user authentication level and by switching to the Kerberos protocol for
security features (such as mutual authentication and constrained delegation) in subsequent application
layers. Constrained delegation provides a way for domain administrators to specify and enforce
application trust boundaries by limiting where application services can act on a user’s behalf. This
flexibility improves application security designs by reducing the chance of compromise by an untrusted
service.
For more information on constrained delegation, see RFC 1510 via the IETF website
(http://www.ietf.org).
Authentication Flow with KCD
Figure 72-7 depicts the packet and process flow a user will experience directly and indirectly when
accessing resources trusted for delegation via the clientless portal. This process assumes that the
following tasks have been completed:
• Configured KCD on ASA
• Joined the Windows Active Directory and ensured services are trusted for delegation
• Delegated ASA as a member of the Windows Active Directory domain