Authentication workflow for single sign-on with Kerberos

The following describes the authentication flow for single sign-on with Kerberos:

  1. The managed app or Safari domain initiates a connection with the backend resource through the TCP tunnel configured on the Standalone Sentry. The managed app must support Kerberos.
  2. The backend resource, via the Standalone Sentry, returns a request to authenticate and the KDC realm information to the device.
  3. The device sends an SRV Kerberos DNS query to Ivanti Tunnel. Tunnel matches the requested domains to the domains configured in the SRV key-value pair. The kerberos DNS query is resolved to the host name (target) configured in the SRV key-value pair.
    SRV configuration is not required if packet tunnel provider is configured.
  4. The device communicates with the KDC server (target) through Tunnel and a ticket is returned to the device. The ticket is stored on the device.
  5. The device presents the ticket to the backend resource for authentication.
  6. The device uses the ticket to authenticate to backend resources configured in the single sign-on setting.