Kerberos Constrained Delegation and Protocol Transition in Smart Card PKI Architectures

Kerberos has long been considered to reside at the top of the network authentication protocol tree as the most secure, and most complex, authentication system. This comes not from the way in which Kerberos is designed, but rather from the complexity of the systems that have grown up around Kerberos that support identity management, especially when applied across organizational boundaries.

The introduction of smart cards as a means to address the inherent weaknesses in password-based identity management architectures has provided for stronger security in organizations adopting such tactics. But it also has introduced multiple challenges in scaling authentication infrastructure as well as technical issues involving the use of application delivery controllers.

This technical brief explains how F5 BIG-IP Local Traffic Manager with Advanced Client Authentication is a manageable solution to the problems of federating access to services across multiple domains as well as ensuring that smart card PKI access to services can be utilized regardless of the client’s choice of web-browser.

Read this brief to learn how F5 BIG-IP LTM with ACA in Kerberos protocol transition and constrained delegation architectures allows for a more scalable, efficient, and secure infrastructure capable of federating access to services across domains and authentication realms, ultimately decreasing the capital and operational expenditures required to keep applications secure, fast, and available.