Hello @MACVAD_SA ,
Thanks for reaching out.
Here are prerequisites for single sign-on with KCD:
Single sign-on for IWA (Integrated Windows Authentication) applications, make sure your environment is ready with the following settings and configurations:
- Your apps, like Web apps, are set to use Integrated Windows Authentication. For more
information, see Enable Support for Kerberos Authentication. - All your apps have Service Principal Names.
- The server running the Connector and the server running the app are domain joined and part of the
same domain or trusting domains. For more information on domain join, see Join a Computer to a
Domain. - The server running the Connector has access to read the TokenGroupsGlobalAndUniversal attribute
for users. This default setting might have been impacted by security hardening the environment.
- The server running the Connector and the server running the app are domain joined and part of the
For more information, read:
Kerberos Constrained Delegation for single sign-on (SSO) to your apps with Application Proxy
Troubleshoot Kerberos constrained delegation configurations for Application Proxy
Hope this helps
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.