Forward Kerberos ticket-granting ticket to application

Before you begin

Add an Active Directory (AD) to EAA and assign that directory to an EAA connector that is able to reach the AD. See Add or edit a directory.

When you use Kerberos single sign-on (SSO) as the application-facing authentication mechanism in EAA, the client can store a user’s login session key in its ticket cache along with its full ticket-granting ticket (TGT). When you perform this action, you create an application policy for the kerberized application. You should also assign the AD as the authentication directory and remove all other directories assigned to the application.

How to

  1. Log in to the Enterprise Application Access (EAA) Management Portal.
  2. From the top menu bar click Applications.
  3. Locate the application card you wish to configure advanced settings for.
  4. Click Settings > Advanced Settings.
  5. In the Application-facing Authentication Mechanism field, select Kerberos.
  6. Select Forward Kerberos Ticket-Granting Ticket to App.
  7. In the Application authentication domain field, type the Kerberos realm of the application. If it is the same as the AD domain, specify the AD domain here.
  8. In the Service Principal Name (SPN) field, verify the auto-generated configuration is correct. If it is not, enter changes as needed.
  9. Click Save.

Next steps

Deploy the application for the changes to go into effect.