30-56
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with SSL and IKEv2 IPSec VPN Policies
Understanding Kerberos Constrained Delegation (KCD) for SSL VPN (ASA)
There are many ways to protect network resources through the use of authentication. Many organizations
want to use Kerberos to protect certain web applications while using other authentication techniques,
such as username and password, digital certificates, RSA SecureID, or SmartCards, to control access to
an SSL VPN. However, a restriction in the Kerberos protocol prevents Kerberos authentication if the user
has already used another technique to authenticate to the VPN.
Microsoft overcomes this limitation in Kerberos starting with Windows Server 2003. Using protocol
transition and constrained delegation, the ASA can authenticate to the Kerberos Key Distribution Center
(KCD) on the Windows domain controller and obtain impersonate tickets for users who have
authenticated to the ASA using non-Kerberos protocols. The ASA can use the impersonate ticket to
obtain other Kerberos service tickets for remote users.
To configure the domain controller so that Kerberos constrained delegation works, you must do the
following:
Each instance of a service that uses Kerberos authentication must have a service principle name
(SPN) defined so that clients can identify it on the network. Register the SPN in the Active Directory
Service-Principal-Name attribute of the Windows account under which the instance of the service
is running. When a service needs to authenticate to another service running on a specific computer,
it uses that service’s SPN to differentiate it from other services running on that computer.
The SPN syntax is service_class/host_name:port, where:
service_class identifies the service. It can be a built-in service, such as http, or a user defined
service.
host_name identifies the fully-qualified domain name or NetBIOS name of the server that hosts
the service, but it cannot be an IP address.
port identifies the port on which the service runs. You can omit the port if you use the default
service port.
Create a service account username and password that the ASA can use. Configure the account to
allow Kerberos constrained delegation to any authentication protocol. In addition, the user account
must not be marked as a sensitive account that cannot be delegated.
Image Order The order in which the security appliance downloads the client images
to the remote workstation. It downloads the image in priority order.
Therefore, you should enter a lower value for the image used by the
most commonly-encountered operating system.
Regular Expression A regular expression to match the user agent. Enter a name of an
existing regular expression policy object or click Select to select or
create a new one.
If you are adding an AnyConnect package for Windows Mobile, specify
the regular expression Windows CE to match the user agent on
Windows Mobile devices. This decreases the connection time of the
mobile device. When the browser on the mobile device connects to the
adaptive security appliance, it includes the User-Agent string in the
HTTP header. The adaptive security appliance, receiving the string,
immediately downloads AnyConnect for Windows Mobile without
ascertaining whether the other AnyConnect images are appropriate.
Table30-20 Add or Edit AnyConnect Client Image Dialog Box (Continued)
Element Description