Once you have setup and verified the AppTunnel works via Username/Password authentication for Acronis Access, you can modify the configurations created to allow Kerberos Constrained Delegation authentication to the Acronis Access Gateway. When this is properly configured the end user will not have to supply a username or password to enroll with management or to browse data sources.
This document will set up the basic configuration and delegate to one Acronis Acess Gateway server running on the same server as the management server to allow enrollment to that local management server and browsing of datasources configured on that gateway. Additional delegation will be required for additional Gateways, Sharepoint servers, and reshares.
If you are going to use the same iOS device to test the Kerberos Constained Delegation it is recommended you uninstall the Acronis Access Mobile client at this time.
From the Windows Start menu, select All Programs, select Administrative Tools > Active Directory Users and Computers.
In the newly opened console, expand the domain (Kerberos refers to a domain as a realm).
Right-click Users and select New > User.
Enter a Name and a User Logon Name for the Kerberos service account. The name must start with HTTP/. Use standard alphanumeric characters with no whitespace for the User Logon Name, as it is entered in a command prompt later in the guide. If HTTP/ automatically appears next to the User logon name (pre-Windows 2000) field, delete it from that field.
Ensure that the correct domain name is selected in the field next to the User Logon Name field. If the correct domain is not selected, choose the correct domain name from the drop-down list next to the User Logon Name field.
Click Next.
Password: Enter a password.
Password never expires: Ensure that User must change password at next logon is not selected. Typically, in the enterprise, the User cannot change password and Password Never Expires fields should be selected.
Click Next.
Click Finish.
Create a keytab for the Kerberos Service Account
When you create a keytab, the Sentry service account is concurrently mapped to the servicePrincipalName.
On the KDC server, open a command prompt window
At the prompt, type the following command: ktpass /out nameofsentry.keytab /mapuser nameofuser@domain /princ HTTP/nameofuser /pass password
E.g. ktpass /out timsentry.keytab /mapuser timsentry@glilabs2008.com /princ HTTP/timsentry@glilabs2008.com /pass 123456
This warning can be ignored.
Delegate HTTP service to the Acronis Access server
From the Windows Start menu, select All Programs and open Administrative Tools > Active Directory Users and Computers.
In the newly opened console, expand the realm (domain).
Click on Users.
Find and select the Kerberos user account that you created in "Create a Kerberos Service Account".
Right-click on the account and select Properties.
Click on the Delegation tab.
Select Trust This User For Delegation To Specified Services Only.
Select Use Any Authentication Protocol.
Press Add….
Press Users or Computers….
Enter the computer name of the Acronis Access Gateway Server.
Click on Check Names.
The correct computer name should appear in the object name box.
Click OK.
Find and select the "http" service in the Add Services window.
Click OK.
Note: For a large deployment with multiple Gateway Servers you should repeat steps 6 through 10 for each Gateway Server. However, for the initial setup, it's best to begin with a single Gateway Server hosting some local test folders. Once you have confirmed access to those, then you can expand to additional Gateway Servers and non-local folders.
Additional SCEP configuration
Open the MobileIron VSP Admin Portal.
Select Policies &Configs and open Configurations.
Find the SCEP created in "Create a new SCEP".
Click on its name and click Edit in the panel on the right.
Enter two Subject Alternative Name Types
NT Principal Name: $USER_UPN$
Distinguished Name: $USER_DN$
Note: These entries require user accounts on the VSP to come from the active directory and these variables to be supplied by it. This configuration is beyond the scope of this document.
Click Save.
Since you have modified the SCEP, you will have to re-provision the device in Mobile@Work before testing the iOS client.
Additional Sentry configuration
Still in the MobileIron VSP Admin Portal, select Settings and open Sentry.
Find the Sentry created in "Add and Configure the Sentry".
Click on the Edit icon.
In the Device Authentication Configuration select the following for the Certificate Field Mapping:
Subject Alternative Name Type: NT Principal Name
Value: User UPN
In the App Tunneling Configuration change the Server Authentication to Kerberos.
In the Kerberos Authenication Configuration section.
Check Use Keytab File.
Click Upload File.
Upload the keytab file created in "Create a keytab for the Kerberos Service Account".
Put the domain controller in the Key distribution center.
Click Save.
Verify sentry/KCD communication
Using either the Sentry EXEC or the Sentry logs in the System Manager verify the Sentry is able to reach and receive a Kerberos ticket from the KDC.
Find the line "Informational only: Successfully Received Sentry Service Ticket from KDC". This verifies the Sentry is able to reach and communicate with the KDC.
Testing the iOS client
The changes we made to the SCEP must be pushed down to the iOS device. The changes we made to the Sentry can take several minutes to be pushed down to it.
On the device, open the AppConnect app -> Settings -> Check for updates and tap on "Re-Enroll Device" and follow the prompts.
You can verify the SCEP is properly updated using the iOS Settings app. Under Settings -> General -> Profiles -> The SCEP name you created -> More Details -> Certificate -> The portion after CN= you enter in the subject name of the SCEP, you should see entries for "Subject Alternative Name" and "Directory Name". If this is properly pulled from Active Directory it should match the user that you used to activate Mobile@Work.
If that is correct reinstall the Acronis Access Mobile Client. Repeat the enrollment steps from before but leave the username and password fields blank. If all is successful you should be enrolled using the account that matched the NT Principal Name in the profile you just examined.
