Overview of device and server authentication with Standalone Sentry

Standalone Sentry supports device authentication using user name and password, certificate-based authentication, or Kerberos Constrained Delegation. Device authentication involves configuring:

•

device authentication (how the device authenticates to the Standalone Sentry)

See Device authentication configuration on Standalone Sentry.

•

server authentication (how the Standalone Sentry authenticates the device to the server).

See Server authentication on Standalone Sentry.

Device authentication configuration on Standalone Sentry

Device authentication specifies how the device authenticates to the Standalone Sentry. The following table describes the device authentication options on Standalone Sentry.

Table 1. Types of device authentication supported in Standalone Sentry

Device Authentication	Description
Pass Through	Only available if you are using Sentry for ActiveSync only. Sentry passes through the following authentication provided by the device: user name and password or NTLM.
Group Certificate	Available for ActiveSync and AppTunnel. Requires the following: • A trusted group certificate for device authentication. • A authentication method like user name and password or NTLM for authenticating the device to the server. NOTE: KCD is not supported with Group Certificates.
Identity Certificate	Available for ActiveSync and AppTunnel. Requires the following: • A certificate issued by a Trusted Root Authority for device authentication. • A user name and password or a properly configured Kerberos implementation for authenticating the device to the server.
Trusted Front-End	Available for ActiveSync and AppTunnel. Requires the following: • Setting up an Apache or F5 proxy to front-end the Standalone Sentry. • Additional minor changes to references to the hostname in some profiles. NOTE: MobileIron supports only Apache or F5 servers as the trusted front-end server for TCP tunneling.

Server authentication on Standalone Sentry

Server authentication specifies how Sentry authenticates the device to the backend resource. This can be the ActiveSync server or a backend resource.

Standalone Sentry supports pass through or Kerberos for server authentication. These are supported for both ActiveSync and AppTunnel.

The following table describes the device authentication options on Standalone Sentry.

Table 2. Types of server authentication supported in Standalone Sentry

Server Authentication	Description
Pass Through	Sentry passes through the authentication provided by the device. For example: user name and password, NTLM. NOTE: This is the only authentication option you can use with Microsoft Office 365. This is also the only authentication option available for TCP and IP tunneling.
Kerberos	Only available if you choose Identity Certificate for device authentication. Requires a properly configured Kerberos implementation.