Acronis Access Advanced - Administrator's Guide User Manual
Page 140
140
Copyright © Acronis International GmbH, 2002-2014
As this is a complex setup in order to reduce errors and simplify troubleshooting, it will be
accomplished in two phases. The first phase will establish an AppTunnel using username/password to
authentication to the Acronis Access server. This infrastructure will be built on in phase two to add
on Kerberos Constrained Delegation. It is highly recommended to test the tunnel works with
username/password authentication before moving on to Kerberos to eliminate steps in problem
determination.
Before you begin
Kerberos Constrained Delegation, abbreviated KCD, allows users to authenticate to network
resources by Kerberos after their identity is established using a non-Kerberos authentication
method. In the case of Acronis Access, this allows users to authenticate using iOS device-level
identity certificates distributed by MobileIron. Without KCD, the Access app would only be able
to use a certificate installed directly into the app.
Note: All of the configuration related to KCD is done through MobileIron and Windows. There are no special
changes to make in Acronis Access itself.
Key Distribution Center, abbreviated KDC, is a network service that supplies session tickets and
temporary session keys to users and computers within an Active Directory domain.
Only the Gateway Server accepts Kerberos authentication. The Access Server does not.
The Access client app must be enrolled in client management with a Gateway Server. If the
client is enrolled with the Access Server, their login will fail.
Mobile clients using Kerberos authentication will only be able to authenticate to network
shares and SharePoint sites. They cannot use KCD to access Acronis Access Sync & Share
folders, since the Access service does not allow Kerberos authentication.
Prerequisites
The following software is should already be installed and configured:
MobileIron VSP (5.9 used in this document)
For Kerberos to work properly the user accounts on the VSP should come from the Active
Directory that will be configured to support Kerberos
MobileIron Sentry (4.8 used in this document)
Access server installed (6.0.2 used in this document)
Servers interoperability
The time on the VSP, Sentry, Domain Controller, and Access servers must all be synchronized
(NTP recommended)
Domain name resolution (DNS). The Sentry will ask for a ticket from the KDC using the DNS
name it has been configured to contact. This name must match the computer name set up
for Kerberos delegation or the KDC will refuse to grant a ticket.
The VSP must be able to reach the Sentry (ports 9090 and 443 by defaults – others based on
your configuration).
The Sentry must be able to reach the Active Directory and Access server (ports 88, 389, 636).
Ports 88 (UDP and TCP) and 389 (TCP) between Active Directory and Sentry (or port 636
(TCP) if you are using SSL-enabled Active Directory) need to be opened to allow