Hi
I am working on enabling Kerberos based SSO (with PKI used for initial authentication) in our test environment.
Domain controller is windows server 2008 R2, Access resources are few web applications hosted on (IIS of a server 2008 R2 machine) and Resource client is windows 7 machine, in which user access the web applications via browser.
Currently I have enabled user authentication based kerberos in IIS (where the web applications are hosted) and it is working fine (I can see all the kerberos transactions in network monitor).
However my actual requirement is to achieve the same using (x.509 (identity) certificates installed iOS devices), when the user with identity certificate installed in the device access these sites from within the device, should be let in without being prompted for user name and password. (Kerberos based authentication with certificate (x.509) based pre-authentication)
I have been trying to configure this in my environment but with no success. most searches on web ends up in integrating MIT kerberos (based on Linux) with MS AD with PKINIT, but I looking for a way to achieve the same thing in windows environment.
Recently I came across the below link ,
http://msdn.microsoft.com/en-in/library/cc238455.aspx
which clearly says this PKI based initial authentication is available with MS-PKCA (Microsoft's implementation of PKINIT) then again it's a developer document and it gives only technical details.
How do I implement MS-PKCA based kerberos in windows environment ?
Is my scenario practically achievable in a complete windows environment?
Can anyone please help me with this ?