API Management versions 7.5.X and 7.6.X have reached end of support in November 2020.
Check out the latest version of the documentation.

API Gateway as a Kerberos client

If a non-Kerberos client application must connect to a back-end service requiring Kerberos authentication, API Gateway can act as a Kerberos client and mediate the authentication.

  • Client application: Does not support Kerberos authentication.
  • Back-end service: Requires Kerberos authentication, but not the end user's credential.
  • API Gateway: Acts as a Kerberos client and authenticates to the back-end service as itself.

The client application can only authenticate using some non-Kerberos authentication mechanism. The back-end service requires Kerberos authentication, but does not need to authenticate the real user associated with the client application. API Gateway sits between the client application and back-end service, and authenticates the client using a non-Kerberos authentication mechanism. The back-end service authenticates API Gateway as the Kerberos client, and trusts that API Gateway has authenticated the real user.

Example flow of API Gateway acting as a Kerberos client when end user application does not support Kerberos authentication the back-end service requires.


Before you start configuration, you must have API Gateway installed on any machine with access to the Windows Domain Controller. The machine does not have to be a Windows machine that is part of the Windows Domain.

Configuration process

The configuration process has the following steps:

  1. Configure a user account in Active Directory
  2. Configure Kerberos principals
  3. Configure API Gateway policy

Example names

In this example, the Kerberos client ClientGateway connects to an existing back-end service. You can use the example names, or replace them with names of your own.

The example Kerberos realm name AXWAY.COM is specific to the examples in this guide. Replace the example realm name with your own realm name.

Related Links