Unit 9: Implement Kerberos and Certificate-Based Authentication in Microsoft Entra ID

Kerberos for On-Prem Apps via Application Proxy

You can provide SSO for on-premises apps that use Integrated Windows Authentication (IWA) by publishing them with Application Proxy and using Kerberos Constrained Delegation (KCD).

• The Application Proxy connector impersonates users in AD and obtains Kerberos tickets on their behalf.
• This allows users to access on-prem IWA apps using Microsoft Entra identities and tokens.

Kerberos Authentication Flow (Conceptual)

• User enters the URL for the on-prem app published through Application Proxy.
• Application Proxy redirects the request to Microsoft Entra ID for pre-authentication.
• Entra ID evaluates policies such as MFA.
• After successful authentication, Entra ID issues a token to the user.
• User presents the token to Application Proxy.
• Application Proxy validates the token and extracts the UPN.
• The connector uses the UPN and app SPN to perform KCD with on-prem AD over a secure channel.
• AD sends a Kerberos ticket for the app to the connector.
• Connector sends the request with the Kerberos ticket to the app server.
• App sends the response back through the connector and Application Proxy to the user.

Prerequisites

• Apps (e.g., SharePoint) configured to use Integrated Windows Authentication.
• All apps must have Service Principal Names (SPNs) configured.
• Connector server and app server must be domain joined.
• Connector server must have access to read the TokenGroupsGlobalAndUniversal attribute.