Cross-domain setup

Microsoft has introduced Kerberos Constrained Delegation (KCD) with Windows Server 2003, which is the technology behind Back-side Kerberos SSO. With Windows Server 2012 KCD has been enhanced with Resource-Based Kerberos Constrained Delegation (RBKCD). With standard KCD users can only be impersonated within the same domain while RBKCD allows doing KCD across domain boundaries.

How RBKCD can be configured with Airlock Gateway is described in this chapter.

Chapter-related prerequisites

  • The trust between the Active Directory Domain is configured properly.
  • The configured DNS server in Airlock Gateway can resolve the DNS SRV requests to determine the involved Active Directory domains and domain controllers.