Hi John, this makes zero sense to me.
"Kerberos" and "certificate" dont belong in the same proximity . I've never heard of a Kerberos Certificate.
Honestly what your describing sounds like X.509 authentication. This is pretty common with mobile device management (MDM) providers wanting to distribute certs to mobile devices. This way you can do authentication without prompting the users.
Was there any other background information that team gave?
Yeah, I'd already implemented X.509 certificate handling when they told me that would not do.
And, it all sounds too strange to me, but I'm not a Kerberos expert and don't know enough to say whether this is apples and oranges.
Kerberos works whereby the client gets a ticket from the KDC (in this case Active Directory). The ticket is just encrypted information like username, groups, timestamp, and more that the client and the service (in this case MWG) can decrypt. The client passes this ticket along to the service for authentication and authorization. The MWG is able to decrypt the ticket using the Keytab, this is what enables the MWG to have no connection to AD.
As this relates to you, since the clients dont have a connection to AD, Kerberos wont work -- this is common for mobile devices.
Did the team give a reason why X.509 authentication wouldnt work? Were you using the authentication server?
Perhaps a better solution might be to communicate with the network controller that authenticates the devices when they get on the network.
I finally got a full explanation of what was being asked for. The proxy side is just Kerberos starting with an AS-REQ. The certificate they were talking about is nothing more than the client authentication to the Kerberos KDC. So, there was never any expectation that a certificate was going to be passed to the proxy as part of the Kerberos protocol.