Using mobile clients with client certificate authentication

This is an additional step that you have to perform. You need to set up delegation from the Gateway Server to the Files Advanced server regardless if they are on the same machine or not.

Kerberos Constrained Delegation

This type of delegation will work if the Files Advanced server and the Gateway Server are in the same domain.

  1. To do this, open the Active Directory on the domain controller.
  2. Find and edit the Gateway server's computer object and go to the delegation tab.
  3. Select Trust this computer for delegation to specified services only and Use any authentication protocol.
  4. To select the Files Advanced server's SPN, click Add and enter the username of the account that's associated with the Files Advanced server's HTTP SPN.

    Note: Do not search for the computer that the Files Advanced server is running on - you'll have to do the lookup by username.

    Note: Kerberos authentication to the Files Advanced server is not compatible with single port mode.

  5. Once you search for the user, you should see the HTTP services, so select them (there might be two if you registered the SPN twice - once with the port and once without).
  6. Press Apply and close all dialogs.

Resource Based Kerberos Constrained Delegation

This type of delegation will work even if the Access and Gateway servers are in separate domains in a domain forest.

Note: In order to make use of this feature, all of your domains that Files Advanced will have access to must run in domain functional level 2012 or higher.

  1. Double-check that the DNS entry dedicated for the Files Advanced server and for which you have set an SPN is in fact set as the address for your S&S volume in the Data Sources page.
  2. Configure delegation between the Gateway Server and the Files Advanced server. This time the delegation will be from the Gateway Server to the Files Advanced server.
  3. Execute the following commands for the following users:

    $pc1 = Get-ADComputer -Identity <name_of_gateway_machine>

    Set-ADUser <Access_SSO_user_account> -PrincipalsAllowedToDelegateToAccount $pc1

    e.g: $pc1 = Get-ADComputer -Identity ahsoka

    Set-ADUser john -PrincipalsAllowedToDelegateToAccount $pc1

  4. If your Gateway is running as a user account you will need to set the delegation to be between the two user accounts, with the following commands:

    $user1 = Get-ADUser -Identity <Gateway_User_Account>

    Set-ADUser <Access_SSO_user_account> -PrincipalsAllowedToDelegateToAccount $user1

    e.g: $user1 = Get-ADUser -Identity gwuser

    Set-ADUser john -PrincipalsAllowedToDelegateToAccount $user1

It will take some time for the delegation to be propagated – 10 to 15 minutes for small LDAP deployments and even more for larger structures.