72-37
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Understanding How KCD Works
Note Steps 1 to 3 comprise protocol transition. After these steps, any user who authenticates to
ASA using a non-Kerberos authentication protocol is transparently authenticated to the key
distribution center using Kerberos.
4. ASA requests a service ticket from the key distribution center for the specific service that the user
wants to access.
5. The key distribution center returns a service ticket for the specific service to the ASA.
6. ASA uses the service ticket to request access to the web service.
7. The Web server authenticates the Kerberos service ticket and grants access to the service. The
appropriate error message is displayed and requires acknowledgement if there is an authentication
failure. If the Kerberos authentication fails, the expected behavior is to fall back to basic
authentication.
Adding Windows Service Account in Active Directory
The KCD implementation on the ASA requires a service account, or in other words, an Active Directory
user account with privileges necessary to add computers, such as adding the ASA to the domain. For our
example, the Active Directory username JohnDoe depicts a service account with the required privileges.
For more information on how to implement user privileges in Active Directory, contact Microsoft
Support or visit http://microsoft.com.
Configuring DNS for KCD
This section outlines configuration procedures necessary to configure DNS on the ASA. When using
KCD as the authentication delegation method on the ASA, DNS is required to enable hostname
resolution and communication between the ASA, Domain Controller (DC), and services trusted for
delegation.
Step 1 From ASDM, navigate to Configuration > Remote Access VPN > DNS and configure the DNS setup
as shown in Figure 72-8:
• DNS Server Group—Enter the DNS server IP address(es), such as 192.168.0.3.
• Domain Name—Enter the domain name in which the DC is a member, such as exampledc.com.
Step 2 Enable DNS Lookup on the appropriate interface. Clientless VPN deployments require DNS Lookups
via the internal corporate network, typically the inside interface.