74-44
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter74 Configuring Clientless SSL VPN
Understanding How KCD Works
Note KCD for Clientless SSL VPN is supported for all authentication methods (RADIUS,
RSA/SDI, LDAP, digital certificates, and so on). Refer to the AAA Support table at
http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/access_a
aa.html#wp1069492.
2. Based on the HTTP headers in the challenge, ASA determines whether the server requires Kerberos
authentication. (This is part of the SPNEGO mechanism.) If connecting to a backend server requires
Kerberos authentication, the ASA requests a service ticket for itself on behalf of the user from the
key distribution center.
3. The key distribution center returns the requested tickets to the ASA. Even though these tickets are
passed to the ASA, they contain the user’s authorization data.ASA requests a service ticket from the
KDC for the specific service that the user wants to access.
Note Steps 1 to 3 comprise protocol transition. After these steps, any user who authenticates to
ASA using a non-Kerberos authentication protocol is transparently authenticated to the key
distribution center using Kerberos.
4. ASA requests a service ticket from the key distribution center for the specific service that the user
wants to access.
5. The key distribution center returns a service ticket for the specific service to the ASA.
6. ASA uses the service ticket to request access to the web service.
7. The Web server authenticates the Kerberos service ticket and grants access to the service. The
appropriate error message is displayed and requires acknowledgement if there is an authentication
failure. If the Kerberos authentication fails, the expected behavior is to fall back to basic
authentication.
Before Configuring KCD
To configure the ASA for cross-realm authentication, you must use the following commands: