Using AppConnect with Kerberos Constrained Delegation
This article serves to explain how to configure the required system components to connect the Acronis Access mobile client to the Acronis Access server proxied through MobileIron AppTunnel with authentication handled via Kerberos Constrained Delegation.
Note: The documentation on how to configure MobileIron for Kerberos Constrained Delegation is provided as a courtesy to help get the configuration setup. However, all of the steps up until verification that the Sentry is receiving the Kerberos ticket from the KDC, involve MobileIron software exclusively. If you are having difficulties getting through these steps and successfully receiving a Kerberos ticket, please contact MobileIron support.
As this is a complex setup in order to reduce errors and simplify troubleshooting, it will be accomplished in two phases. The first phase will establish an AppTunnel using username/password to authentication to the Acronis Access server. This infrastructure will be built on in phase two to add on Kerberos Constrained Delegation. It is highly recommended to test the tunnel works with username/password authentication before moving on to Kerberos to eliminate steps in problem determination.
Before you begin
Kerberos Constrained Delegation, abbreviated KCD, allows users to authenticate to network resources by Kerberos after their identity is established using a non-Kerberos authentication method. In the case of Acronis Access, this allows users to authenticate using iOS device-level identity certificates distributed by MobileIron. Without KCD, the Access app would only be able to use a certificate installed directly into the app.
Note: All of the configuration related to KCD is done through MobileIron and Windows. There are no special changes to make in Acronis Access itself.
Key Distribution Center, abbreviated KDC, is a network service that supplies session tickets and temporary session keys to users and computers within an Active Directory domain.
Only the Gateway Server accepts Kerberos authentication. The Access Server does not.
The Access client app must be enrolled in client management with a Gateway Server. If the client is enrolled with the Access Server, their login will fail.
Mobile clients using Kerberos authentication will only be able to authenticate to network shares and SharePoint sites. They cannot use KCD to access Acronis Access Sync & Share folders, since the Access service does not allow Kerberos authentication.
Prerequisites
The following software is should already be installed and configured:
MobileIron VSP (5.9 used in this document)
For Kerberos to work properly the user accounts on the VSP should come from the Active Directory that will be configured to support Kerberos
MobileIron Sentry (4.8 used in this document)
Access server installed (6.0.2 used in this document)
Servers interoperability
The time on the VSP, Sentry, Domain Controller, and Access servers must all be synchronized (NTP recommended)
Domain name resolution (DNS). The Sentry will ask for a ticket from the KDC using the DNS name it has been configured to contact. This name must match the computer name set up for Kerberos delegation or the KDC will refuse to grant a ticket.
The VSP must be able to reach the Sentry (ports 9090 and 443 by defaults – others based on your configuration).
The Sentry must be able to reach the Active Directory and Access server (ports 88, 389, 636).
Ports 88 (UDP and TCP) and 389 (TCP) between Active Directory and Sentry (or port 636 (TCP) if you are using SSL-enabled Active Directory) need to be opened to allow communication. Port 88 is used for Kerberos protocol communication. Port 389 (or 636) is used for the LDAP ping between Sentry and the KDC to verify that the KDC IP is the same as the Active Directory IP.
If Windows Server 2003 is being used, the KDC may listen for requests on port 88 using UDP instead of TCP. You can force Kerberos to use TCP instead of UDP by changing the MaxPacketSize from 0 to 1 in the registry editor. For information about how to do this, refer to the following Microsoft KB article: http://support.microsoft.com/kb/244474.
The iOS device must be able to reach the VSP and the Sentry.
iOS Device registered on VSP.
Mobile@Work installed on the device and registered in the VSP. The MDM profiles properly installed during the registration.