74-42
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Understanding How KCD Works
and One-time Passwords (OTP), the SSO feature falls short in meeting that demand, because it only
forwards conventional user credentials, such as static username and password, to clientless web-based
resources when authentication is required.
For example, neither certificate- or OTP-based authentication methods encompass a conventional
username and password necessary for the ASA to seamlessly perform SSO access to web-based
resources. When authenticating with a certificate, a username and password is not required for the ASA
to extend to web-based resources, making it an unsupported authentication method for SSO. On the other
hand, OTP does include a static username; however, the password is dynamic and will subsequently
change throughout the VPN session. In general, Web-based resources are configured to accept static
usernames and passwords, thus also making OTP an unsupported authentication method for SSO.
Microsoft's Kerberos Constrained Delegation (KCD), a new feature introduced in software release 8.4
of the ASA, provides access to Kerberos-protected Web applications in the private network. With this
benefit, you can seamlessly extend certificate- and OTP-based authentication methods to web
applications. Thus, with SSO and KCD working together although independently, many organizations
can now authenticate their clientless VPN users and extend their authentication credentials seamlessly
to web applications using all authentication methods supported by the ASA.
Requirements
In order for the kcd-server command to function, the ASA must establish a trust relationship between
the source domain (the domain where the ASA resides) and the target or resource domain (the domain
where the web services reside). The ASA, using its unique format, crosses the certification path from the
source to the destination domain and acquires the necessary tickets on behalf of the remote access user
to access the services.
This crossing of the certificate path is called cross-realm authentication. During each phase of
cross-realm authentication, the ASA relies on the credentials at a particular domain and the trust
relationship with the subsequent domain.
Understanding How KCD Works
Kerberos relies on a trusted third party to validate the digital identity of entities in a network. These
entities (such as users, host machines, and services running on hosts) are called principals and must be
present in the same domain. Instead of secret keys, Kerberos uses tickets to authenticate a client to a
server. The ticket is derived from the secret key and consists of the client’s identity, an encrypted session
key, and flags. Each ticket is issued by the key distribution center and has a set lifetime.
The Kerberos security system is a network authentication protocol used to authenticate entities (users,
computers, or applications) and protect network transmissions by scrambling the data so that only the
device that the information was intended for can decrypt it. You can configure KCD to provide Clientless
SSL VPN (also known as WebVPN) users with SSO access to any web services protected by Kerberos.
Examples of such web services or applications include Outlook Web Access (OWA), Sharepoint, and
Internet Information Server (IIS).
Two extensions to the Kerberos protocol were implemented: protocol transition and constrained
delegation. These extensions allow the Clientless or WebVPN remote access users to access Kerberos
authenticated applications in the private network.
The protocol transition provides you with increased flexibility and security by supporting different
authentication mechanisms at the user authentication level and by switching to the Kerberos protocol for
security features (such as mutual authentication and constrained delegation) in subsequent application
layers. Constrained delegation provides a way for domain administrators to specify and enforce