Kerberos

Microsoft Azure Active Directory is now Microsoft Entra ID

When components are installed on separate servers, credentials must be passed between the services. This can be accomplished by setting up Kerberos, which must be configured prior to installing Nintex Automation. Although changes can be made after the product is installed, you should attempt to configure Kerberos requirements prior to installing Nintex Automation. Any time where two or more hops are required for user authentication, Kerberos must be configured unless you have decided to use Pass-Through Authentication.

Kerberos is recommended for all configurations, machines and services in a distributed environment except for those that use OAuth (SharePoint and Azure Active Directory SmartObjects).

What is Kerberos?

Which authentication model should be implemented depends on whether user credentials must be passed from one system to another. When user credentials are passed, the system that is attempting to pass the credentials must be trusted for delegation. For this step to take place successfully, Kerberos delegation must be configured.

Basically, if a system needs to impersonate a user or if there are two or more hops between servers (commonly known as the 'double-hop issue'), Kerberos is required.

How can I tell if Kerberos is not configured properly?

Configuring Kerberos is an advanced task and should only be performed by an appropriately-trained person. The steps and configurations given in this help file are to be used as a guide. Your system may require additional configuration due to different hardware and software compatibilities.

The need for Kerberos configuration may only become evident once the following errors are detected. These errors appear as soon as one of the servers attempts to pass credentials.

  • NT AUTHORITY/ANONYMOUS LOGON
  • 401 - Access Denied
Kerberos is configured as part of the installation, some configuration happens once the components are installed.
Neither Microsoft nor Nintex developed the Kerberos standard. The MIT standard has been implemented in the Windows platform and Nintex Automation relies on the implementation to successfully pass credentials between servers.

Current information on Kerberos authentication and Nintex Automationservers is available in this Help collection and via Nintex KB articles.

Additional Resources for Kerberos

Kerberos Protocol Transition and Constrained Delegation:
https://msdn.microsoft.com/en-us/library/ff650469.aspx

Knowledge Base Articles on Kerberos:
Configuring Kerberos for Nintex Automation environment

While infrastructure changes are required by Nintex Automation, each environment is different and has its peculiarities which must be taken into account. Modifying the infrastructure could have unforeseen results if the changes are not appropriately understood or managed. Given the broad spectrum of underlying infrastructure utilized, it is recommended that a panel or committee with appropriate skill in each area concerned be assembled to outline the underlying infrastructure changes and gauge the impact of the required changes prior to installing the product.