The following describes the authentication flow for single sign-on with Kerberos:
- The managed app or Safari domain initiates a connection with the backend resource through the TCP tunnel configured on the Standalone Sentry. The managed app must support Kerberos.
- The backend resource, via the Standalone Sentry, returns a request to authenticate and the KDC realm information to the device.
- The device sends an SRV Kerberos DNS query to Ivanti Tunnel. Tunnel matches the requested domains to the domains configured in the SRV key-value pair. The kerberos DNS query is resolved to the host name (target) configured in the SRV key-value pair.
SRV configuration is not required if packet tunnel provider is configured.
- The device communicates with the KDC server (target) through Tunnel and a ticket is returned to the device. The ticket is stored on the device.
- The device presents the ticket to the backend resource for authentication.
- The device uses the ticket to authenticate to backend resources configured in the single sign-on setting.