Deployment scheme involving Kerberos constrained delegation (KCD)

The deployment scheme with Kerberos constrained delegation (KCD) requires the Administration Server and the iOS MDM Server to be located on the internal network of the organization.

This deployment scheme provides for the following:

When using this deployment scheme, you must do the following:

Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:

Service Principal Name for http/iosmdm.mydom.local

In the domain, you have to register the service principal name (SPN) for the device with the iOS MDM web service (iosmdm.mydom.local):

setspn -a http/iosmdm.mydom.local iosmdm

Configuring the domain properties of the device with the reverse proxy (firewall.mydom.local)

To delegate traffic, trust the device with the reverse proxy (firewall.mydom.local) to the service that is defined by the SPN (http/iosmdm.mydom.local).

To trust the device with the reverse proxy to the service defined by the SPN (http/iosmdm.mydom.local), the administrator must perform the following actions:

  1. In the Microsoft Management Console snap-in named "Active Directory Users and Computers", select the device with the reverse proxy installed (firewall.mydom.local).
  2. In the device properties, on the Delegation tab, set the Trust this computer for delegation to specified service only toggle to Use any authentication protocol.
  3. Add the SPN (http/iosmdm.mydom.local) to the Services to which this account can present delegated credentials list.

Special (customized) certificate for the published web service (iosmdm.mydom.global)

You have to issue a special (customized) certificate for the iOS MDM web service on the FQDN iosmdm.mydom.global and specify that it replaces the default certificate in the settings of iOS MDM web service in Administration Console.

Please note that the certificate container (file with the p12 or pfx extension) must also contain a chain of root certificates (public keys).

Publishing the iOS MDM web service on the reverse proxy

On the reverse proxy, for traffic that goes from a mobile device to port 443 of iosmdm.mydom.global, you have to configure KCD on the SPN (http/iosmdm.mydom.local), using the certificate issued for the FQDN (iosmdm.mydom.global). Please note that publishing, and the published web service must share the same server certificate.

See also:

Standard configuration: Kaspersky Device Management for iOS in DMZ

Integration with Public Key Infrastructure

Page top