Back-side Kerberos SSO enables Single Sign-On for kerberized web applications. It provides an elegant way to propagate user identities to back-end servers, without any knowledge about their passwords. This might be very useful if the authentication enforcement on Airlock Gateway is done without the user’s domain password. This is for example the case when using a client certificate or an RSA Secure ID token.