Evaluate Kerberos Token

Note:

For Evaluate Kerberos Token policy, JMS and HTTP are not supported as inbound protocols. Also, you must select HTTPS as the inbound protocol to enforce this policy. Evaluate Kerberos Token policy complies to the KerberosOverTransport section described in the following article, https://msdn.microsoft.com/en-us/library/aa751836.aspx. Kerberos inbound authentication support is available at message level and not at transport level.

Service Principal Name

String. Mandatory. A valid Service Principal Name (SPN). The specified value will be used by the client to obtain a service ticket from the KDC server. The SPN is created in the Active Directory (AD) by the AD domain administrator using the following command:

Setspn –a <domain name>\<username> spnname

For example,

setspn -a eur\user1 spnname

Note:

Service Principal Name is currently only supported as a user name based form and not a service name based form.

Service Principal Password

String. Mandatory. A valid password of the SPN user.

For example, if the setspn command is set for the domain user eur\user1, this field represents the password set for the domain user eur\user1.

Identify Consumer

String. The list of consumers against which the Kerberos token must be validated for identifying requests from a particular client.

Value

Description

Do Not Identify

Mediator forwards the request to the native API, without identifying the consumer application(in global/registered consumer list) that corresponds to the principal identified after successful Kerberos authentication.

Registered Consumers

Mediator will try to identify the consumer based on principal that it set after successful Kerberos authentication against the list of consumer applications who are registered as consumers for the specified API.

Global Consumers

Default. Mediator will try to identify the consumer based on principal that it set after successful Kerberos authentication against the list of global consumer applications in Mediator.