Use the Kerberos authentication protocol to verify the identity of a user or host. The authentication is based on tickets used as credentials, allowing communication and proving identity in a secure manner even over a non-secure network.
Configure API Gateway to act both as Kerberos client and Kerberos service.
Configure API Gateway as a Kerberos client to mediate the authentication of a non-Kerberos client application to a back-end service.
Configure API Gateway as a Kerberos service to mediate the authentication of a non-Kerberos client application to a back-end service.
Kerberos constrained delegation (KCD) enables API Gateway to act as a trusted Kerberos service principal, to acquire a Kerberos service ticket in the name of the requesting end user, and to authenticate to a constrained set of Kerberos back-end services as the end user.
A client application can authenticate to API Gateway using Kerberos by way of delegating its Kerberos credentials to API Gateway, which acts as an intermediary between a Kerberos client and Kerberos back-end services
Use a KPS to store passwords and keep API Gateway in sync with Active Directory.
Use Wireshark to view the SPNEGO token data sent between a Kerberos client and service when the client authenticates to the service.