Windows authentication - Kerberos constrained delegation with Microsoft Entra ID

Based on Service Principle Names, Kerberos Constrained Delegation (KCD) provides constrained delegation between resources. It requires domain administrators to create the delegations and is limited to a single domain. You can use resource-based KCD to provide Kerberos authentication for a web application that has users in multiple domains within an Active Directory forest.

Microsoft Entra application proxy can provide single sign-on (SSO) and remote access to KCD-based applications that require a Kerberos ticket for access and Kerberos Constrained Delegation (KCD).

To enable SSO to your on-premises KCD applications that use integrated Windows authentication (IWA), give Application Proxy connectors permission to impersonate users in Active Directory. The Application Proxy connector uses this permission to send and receive tokens on the users' behalf.

When to use KCD

Use KCD when there's a need to provide remote access, protect with pre-authentication, and provide SSO to on-premises IWA applications.

Diagram of architecture

Components of system

  • User: Accesses legacy application that Application Proxy serves.
  • Web browser: The component that the user interacts with to access the external URL of the application.
  • Microsoft Entra ID: Authenticates the user.
  • Application Proxy service: Acts as reverse proxy to send requests from the user to the on-premises application. It sits in Microsoft Entra ID. Application Proxy can enforce Conditional Access policies.
  • Application Proxy connector: Installed on Windows on premises servers to provide connectivity to the application. Returns the response to Microsoft Entra ID. Performs KCD negotiation with Active Directory, impersonating the user to get a Kerberos token to the application.
  • Active Directory: Sends the Kerberos token for the application to the Application Proxy connector.
  • Legacy applications: Applications that receive user requests from Application Proxy. The legacy applications return the response to the Application Proxy connector.

Implement Windows authentication (KCD) with Microsoft Entra ID

Explore the following resources to learn more about implementing Windows authentication (KCD) with Microsoft Entra ID.

Next steps