API Management versions 7.5.X and 7.6.X have reached end of support in November 2020.
Check out the latest version of the documentation.

Demo setup: API Gateway as both Kerberos client and service

For demonstration purposes, or to test configuring Kerberos authentication, you can configure API Gateway to act both as Kerberos client (DemoClient) and Kerberos service (DemoService). This configuration is not suitable for production environment.

This is the most straight-forward setup to get started with Kerberos authentication in API Gateway. You configure API Gateway to act as a Kerberos client and authenticate to API Gateway that acts as a Kerberos service.

You can do this configuration using a single API Gateway instance, or two API Gateway instances in different groups. The example in this guide uses a single API Gateway instance.

The Kerberos client and service principals do not use selectors, so the same client principal (DemoClient@AXWAY.COM) always authenticates to the same service principal (DemoService@AXWAY.COM).


Before you start configuration, you must have API Gateway installed on any machine with access to the Windows Domain Controller. The machine does not have to be a Windows machine that is part of the Windows Domain.

Configuration process

The configuration process has the following steps:

  1. Configure Active Directory
  2. Configure Kerberos principals
  3. Configure API Gateway to act as the Kerberos client
  4. Configure API Gateway to act as the Kerberos service

Example names

In this example, the Kerberos client DemoClient@AXWAY.COM connects to the Kerberos service DemoService@AXWAY.COM. You can use the example names, or replace them with names of your own.

The example Kerberos realm name AXWAY.COM is specific to the examples in this guide. Replace the example realm name with your own realm name.

Related Links