Kaspersky Security Center 14

Deployment scheme involving Kerberos constrained delegation (KCD)

26 February 2024

ID 92516

To use the deployment scheme with Kerberos constrained delegation (KCD), the following requirements must be met:

  • Administration Server and the iOS MDM Server are located on the internal network of the organization.
  • A corporate firewall with KCD support is in use.

This deployment scheme provides for the following:

  • Integration with the corporate firewall that supports KCD
  • Use of KCD for authentication of mobile devices
  • Integration with the PKI for applying user certificates

When using this deployment scheme, you must do the following:

  • In Administration Console, in the settings of the iOS MDM web service, select the Ensure compatibility with Kerberos constrained delegation check box.
  • As the certificate for the iOS MDM web service, specify the customized certificate that was defined when the iOS MDM web service was published on the corporate firewall.
  • User certificates for iOS devices must be issued by the Certificate Authority (CA) of the domain. If the domain contains multiple root CAs, user certificates must be issued by the CA that was specified when the iOS MDM web service was published on the corporate firewall.

    You can ensure that the user certificate is in compliance with the this CA-issuance requirement by using one of the following methods:

    • Specify the user certificate in the New iOS MDM profile wizard and in the Certificate installation wizard.
    • Integrate the Administration Server with the domain's PKI and define the corresponding setting in the rules for issuance of certificates:
      1. In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
      2. In the workspace of the Certificates folder, click the Configure certificate issuance rules button to open the Certificate issuance rules window.
      3. In the Integration with PKI section, configure integration with the Public Key Infrastructure.
      4. In the Issuance of mobile certificates section, specify the source of certificates.

Below is an example of setup of Kerberos Constrained Delegation (KCD) with the following assumptions:

  • The iOS MDM web service is running on port 443.
  • The name of the device with the corporate firewall is firewall.mydom.local.
  • The name of device with the iOS MDM web service is iosmdm.mydom.local.
  • The name of external publishing of the iOS MDM web service is iosmdm.mydom.global.

Service Principal Name for http/iosmdm.mydom.local

In the domain, you have to register the service principal name (SPN) for the device with the iOS MDM web service (iosmdm.mydom.local):

setspn -a http/iosmdm.mydom.local iosmdm

Configuring the domain properties of the device with the corporate firewall (firewall.mydom.local)

To delegate traffic, trust the device with the corporate firewall (firewall.mydom.local) to the service that is defined by the SPN (http/iosmdm.mydom.local).

To trust the device with the corporate firewall to the service defined by the SPN (http/iosmdm.mydom.local), the administrator must perform the following actions:

  1. In the Microsoft Management Console snap-in named "Active Directory Users and Computers", select the device with the corporate firewall installed (firewall.mydom.local).
  2. In the device properties, on the Delegation tab, set the Trust this computer for delegation to specified service only toggle to Use any authentication protocol.
  3. Add the SPN (http/iosmdm.mydom.local) to the Services to which this account can present delegated credentials list.

Special (customized) certificate for the published web service (iosmdm.mydom.global)

You have to issue a special (customized) certificate for the iOS MDM web service on the FQDN iosmdm.mydom.global and specify that it replaces the default certificate in the settings of iOS MDM web service in Administration Console.

Please note that the certificate container (file with the p12 or pfx extension) must also contain a chain of root certificates (public keys).

Publishing the iOS MDM web service on the corporate firewall

On the corporate firewall, for traffic that goes from a mobile device to port 443 of iosmdm.mydom.global, you have to configure KCD on the SPN (http/iosmdm.mydom.local), using the certificate issued for the FQDN (iosmdm.mydom.global). Please note that publishing, and the published web service must share the same server certificate.

See also:

Standard configuration: Kaspersky Device Management for iOS in DMZ

Integration with Public Key Infrastructure

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.