Filter
Top Products
30-58
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with SSL and IKEv2 IPSec VPN Policies
3. The KDC returns the requested tickets to the ASA. Even though these tickets are passed to the ASA,
they contain the user’s authorization data.
Note These first steps comprise protocol transition; after these steps, a user who authenticated to
the ASA using a non-Kerberos authentication protocol is transparently authenticated to the
KDC using Kerberos.
4. The ASA now requests a service ticket from the KDC for the specific service that the user wants to
access. The service ticket request contains the SPN (the unique identifier) of the service.
5. The KDC returns a service ticket for the specific service to the ASA.
6. The ASA uses the service ticket to request access to the web service, in the above scenario this is
sent to the web server in a HTTP GET request.
7. The web server authenticates the Kerberos service ticket and grants access to the service. An
authentication failure will display an appropriate error message after acknowledgment of which the
portal will be displayed.
Configuring Kerberos Constrained Delegation (KCD) for SSL VPN (ASA)
Use the Microsoft KCD Server tab of the SSL VPN Other Settings page to configure Kerberos
Constrained Delegation (KCD) for clientless SSL VPNs hosted on an ASA.
KCD addresses a limitation of Kerberos. If a user authenticates to the SSL VPN using a method other
than Kerberos, the user cannot access Kerberos-protected resources. This prevents a remote access
device, such as ASA, from authenticating users using non- Kerberos methods and still provide single
sign-on access to Kerberos-authenticated web applications in the enterprise.
If this limitation applies to your network, you can configure KCD to get around the limitation. KCD
offloads the Kerberos authentication to the ASA. Users log into the corporate network using the SSL
VPN portal, and from then on, access Kerberos-protected services in a transparent fashion.
Tips
• KCD requires ASA release 8.4+. If you configure KCD for other releases, the configuration is
ignored.
• The feature is used with clientless SSL VPN access only.
• Microsoft Windows Server (2003 or 2008), configured as domain controllers, are required for KCD.
• If you use SSL VPN Bookmark policy objects to define bookmarks to include on the SSL VPN
portal page, you might need to add explicit service principle name (SPN) parameters to bookmarks
if a service uses a non-default port. For services that use Kerberos authentication, an SPN must be
defined in the Service-Principle-Name attribute of the account under which the service runs.
Bookmarks need to reflect this configuration. The SPN is a parameter on the URL:
http://<url>?SPN=<spn> or http://<url>?SPN=<spn>. For example,
http://owa.example.com?SPN=http/owa:444. For more details about the SPN syntax, see
Understanding Kerberos Constrained Delegation (KCD) for SSL VPN (ASA), page 30-56.
• To configure this feature, you must also configure the Hostname, DNS, and NTP policies. Configure
both hostname and domain name in the Hostname policy.