Federation Manager Agent for Windows Authentication GuideIntroduction to the CA Federation Manager Agent for Windows Authentication › Kerberos Protocol

Previous Topic: NTLM Protocol

Next Topic: Installation Prerequisites

Kerberos Protocol

The Kerberos protocol is an elaboration of the NTLM protocol. The following illustration shows how Federation Manager and the Federation Manager Windows Agent use the Kerberos protocol:

AWA and Kerberos

The following process references annotations in the preceding diagram:

  1. An authentication request is made to Federation Manager at the asserting party.

    Federation Manager recognizes that this request is a delegated authentication request.

  2. Federation Manager redirects to the Federation Manager Windows Agent.
  3. The Federation Manager Windows Agent requests an HTTP authorization from the browser.
  4. If the browser is configured for IWA, it sends a SPNEGO token to the Federation Manager Windows Agent. This token allows initiators and acceptors to negotiate whether to use Kerberos or NTLM.
  5. The Federation Manager Windows Agent extracts a Kerberos token from the SPNEGO token.
  6. After the security context is established from the Kerberos token, the Agent retrieves the user identity information.
  7. The Agent creates the open format cookie and builds a redirect URL.
  8. The Agent sends the cookie to Federation Manager.
  9. Federation Manager does the required processing and sends an assertion to the relying party.