Using AppConnect with Kerberos Constrained Delegation
This article serves to explain how to configure the required system components to connect the Files Advanced iOS mobile app to the Files Advanced server proxied through MobileIron AppTunnel with authentication handled via Kerberos Constrained Delegation.
The Android and Windows mobile apps do not support this configuration.
Note: The documentation on how to configure MobileIron for Kerberos Constrained Delegation is provided as a courtesy to help get the configuration setup. However, all of the steps up until verification that the Sentry is receiving the Kerberos ticket from the KDC, involve MobileIron software exclusively. If you are having difficulties getting through these steps and successfully receiving a Kerberos ticket, please contact MobileIron support.
As this is a complex setup in order to reduce errors and simplify troubleshooting, it will be accomplished in two phases. The first phase will establish an AppTunnel using username/password to authentication to the Acronis Files Advanced server. This infrastructure will be built on in phase two to add on Kerberos Constrained Delegation. It is highly recommended to test the tunnel works with username/password authentication before moving on to Kerberos to eliminate steps in problem determination.
Before you begin
Kerberos Constrained Delegation, abbreviated KCD, allows users to authenticate to network resources by Kerberos after their identity is established using a non-Kerberos authentication method. In the case of Files Advanced , this allows users to authenticate using iOS device-level identity certificates distributed by MobileIron. Without KCD, the Files Advanced app would only be able to use a certificate installed directly into the app.
Note: All of the configuration related to KCD is done through MobileIron and Windows. There are no special changes to make in Files Advanced tself.
Key Distribution Center, abbreviated KDC, is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain.
Only the Gateway Server accepts Kerberos authentication. The Files Advanced server does not.
The Files Advanced mobile app must be enrolled in client management with a Gateway Server. If the client is enrolled with the Files Advanced server, their login will fail.
Mobile clients using Kerberos authentication will be able to authenticate to Network shares, Sync&Share folders and SharePoint sites.
Prerequisites
The following software is should already be installed and configured:
MobileIron VSP (5.9 used in this document)
For Kerberos to work properly the user accounts on the VSP should come from the Active Directory that will be configured to support Kerberos
MobileIron Sentry (4.8 used in this document)
Files Advanced server installed (6.0.2 used in this document)
Servers interoperability
The time on the VSP, Sentry, Domain Controller, and Files Advanced servers must all be synchronized (NTP recommended)
Domain name resolution (DNS). The Sentry will ask for a ticket from the KDC using the DNS name it has been configured to contact. This name must match the computer name set up for Kerberos delegation or the KDC will refuse to grant a ticket.
The VSP must be able to reach the Sentry (ports 9090 and 443 by defaults – others based on your configuration).
The Sentry must be able to reach the Active Directory and Files Advanced server (ports 88, 389, 636).
Ports 88 (UDP and TCP) and 389 (TCP) between Active Directory and Sentry (or port 636 (TCP) if you are using SSL-enabled Active Directory) need to be opened to allow communication. Port 88 is used for Kerberos protocol communication. Port 389 (or 636) is used for the LDAP ping between Sentry and the KDC to verify that the KDC IP is the same as the Active Directory IP.
If Windows Server 2003 is being used, the KDC may listen for requests on port 88 using UDP instead of TCP. You can force Kerberos to use TCP instead of UDP by changing the MaxPacketSize from 0 to 1 in the registry editor. For information about how to do this, refer to the following Microsoft KB article: http://support.microsoft.com/kb/244474.
The iOS device must be able to reach the VSP and the Sentry.
iOS Device registered on VSP.
Mobile@Work installed on the device and registered in the VSP. The MDM profiles properly installed during the registration.