Overview
Ivanti Standalone Sentry supports device authentication using user name and password, certificate-based authentication, or Kerberos Constrained Delegation. Device authentication involves configuring:
•device authentication (how the device authenticates to the Ivanti Standalone Sentry)
•server authentication (how the Ivanti Standalone Sentry authenticates the device to the server).
Device authentication
Device authentication specifies how the device authenticates to the Ivanti Standalone Sentry. The following table describes the devices authentication methods supported by Ivanti Standalone Sentry.
Table 1. Supported device authentication
|
Device Authentication |
Description |
|
Pass Through |
Only available if you are using the Sentry for ActiveSync only. The Sentry passes through the authentication provided by the device, for example, user name and password, NTLM. |
|
Group Certificate |
Available for ActiveSync and AppTunnel. Requires the following: •A trusted group certificate for device authentication. •A authentication method like user name and password or NTLM for authenticating the device to the server. KCD is not supported with Group Certificates. |
|
Identity Certificate |
Available for ActiveSync and AppTunnel. Requires the following: •A certificate issued by a Trusted Root Authority for device authentication •A user name and password or a properly configured Kerberos implementation for authenticating the device to the server. |
Server authentication
Server authentication specifies how the Sentry authenticates the device to the backend resource. This can be the ActiveSync server or a backend resource. The following table describes the supported server authentication. These are supported for both ActiveSync and AppTunnel.
Table 2. Supported server authentication
|
Server Authentication |
Description |
|
Pass Through |
The Sentry passes through the authentication provided by the device. For example: user name and password, NTLM. This is the only authentication option you can use with Microsoft Office 365. This is also the only authentication option available for TCP and IP tunneling. |
|
Kerberos |
Only available if you choose Identity Certificate for device authentication. Requires a properly configured Kerberos implementation. |