K2 Pass-Through Authentication

When components are installed on separate servers, credentials must be passed between the services. This can be accomplished by setting up K2 Pass-Through Authentication, which is configured as part of the installation and configuration process of  K2. Any time where two or more hops are required for user authentication, K2 Pass-Through Authentication must be configured. 

K2 Pass-Through authentication is the default option when installing distributed configurations. Kerberos is a supported alternative.

What is K2 Pass-Through Authentication

K2 Pass-Through Authentication is a K2 proprietary authentication methodology specifically for authenticating users whose credentials need to be passed between machines that interact with the K2 APIs. This authentication model can be used as an alternative to Kerberos, but is not in any way intended to be a replacement for Kerberos.

K2 Pass-Through Authentication enables the removal of Kerberos dependencies and still allow a user’s credentials to be passed between machines in such a way that the user can be authenticated in a secure manner without compromising the integrity of the K2 Server Transactions and data.

Why use K2 Pass Through Authentication

K2 Pass-Through Authentication is intended as an out of the box means for K2 blackpoint and K2 blackpearl installations to be able to authenticate user requests. The K2 Pass-Through Authentication is available as a native feature of K2 blackpearl and K2 blackpoint; support for this feature will install with the KB001290 update. K2 Pass-Through can be implemented by various organizations depending on their requirements or internal skills availability. The list below is some of the reasons why an organization would use K2 Pass-Through Authentication.

• Limited Internal Organization Skills
• No access to Active Directory to make the required changes
• Business requirements that don’t warrant the need for a Kerberos implementation
  

K2 Pass-Through Authentication is not a Kerberos replacement, it is a Kerberos alternative which can be implemented for specific delegation requirements when an anonymous connection is made which results in Kerberos failure.