Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Why a Microsoft Kerberos Constrained Delegation Solution

72-34

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter72 Configuring Clientless SSL VPN

Why a Microsoft Kerberos Constrained Delegation Solution

Note After you import the plug-in, remote users can choose ica and enter

host/?DesiredColor=4&DesiredHRes=1024&DesiredVRes=768 into the Address field of the

portal page to access Citrix services. We recommend that you add a bookmark to make it easy

for users to connect. Adding a bookmark is required if you want to provide SSO support for

Citrix sessions.

Step6 Establish an SSL VPN clientless session and click the bookmark or enter the URL for the Citrix server.

Use the Client for Java Administrator’s Guide as needed.

Why a Microsoft Kerberos Constrained Delegation Solution

Many organizations want to authenticate their Clientless VPN users and extend their authentication

credentials seamlessly to web-based resources using authentication methods beyond what the ASA SSO

feature can offer today. With the growing demand to authenticate remote access users with Smart Cards

and One-time Passwords (OTP), the SSO feature falls short in meeting that demand, because it only

forwards conventional user credentials, such as static username and password, to clientless web-based

resources when authentication is required.

For example, neither certificate- or OTP-based authentication methods encompass a conventional

username and password necessary for the ASA to seamlessly perform SSO access to web-based

resources. When authenticating with a certificate, a username and password is not required for the ASA

to extend to web-based resources, making it an unsupported authentication method for SSO. On the other

hand, OTP does include a static username; however, the password is dynamic and will subsequently

change throughout the VPN session. In general, Web-based resources are configured to accept static

usernames and passwords, thus also making OTP an unsupported authentication method for SSO.

Microsoft's Kerberos Constrained Delegation (KCD), a new feature introduced in software release 8.4

of the ASA, provides access to Kerberos-protected Web applications in the private network. With this

benefit, you can seamlessly extend certificate- and OTP-based authentication methods to web

applications. Thus, with SSO and KCD working together although independently, many organizations

can now authenticate their clientless VPN users and extend their authentication credentials seamlessly

to web applications using all authentication methods supported by the ASA.

In order for the kcd-server command to function, the ASA must establish a trust relationship between

the source domain (the domain where the ASA resides) and the target or resource domain (the domain

where the web services reside). The ASA, using its unique format, crosses the certification path from the

source to the destination domain and acquires the necessary tickets on behalf of the remote access user

to access the services.

This crossing of the certificate path is called cross-realm authentication. During each phase of

cross-realm authentication, the ASA relies on the credentials at a particular domain and the trust

relationship with the subsequent domain.

Cisco Systems Why a Microsoft Kerberos Constrained Delegation Solution