API Management versions 7.5.X and 7.6.X have reached end of support in November 2020.
Check out the latest version of the documentation.

API Gateway as a Kerberos service

If the back-end service requires a non-Kerberos authentication, but the client application supports only Kerberos authentication, API Gateway can act as a Kerberos service, and mediate the authentication to the back-end.

  • Client application: Supports Kerberos authentication.
  • Back-end service: Requires non-Kerberos authentication (for example, OAuth or SAML).
  • API Gateway: Acts as a Kerberos Service authenticating the client application, then authenticates to back-end service.

A Kerberos client app, such as a standard browser, authenticates to API Gateway using Kerberos authentication. API Gateway then authenticates to the back-end service using a non-Kerberos authentication mechanism.

Example flow of API Gateway acting as a Kerberos client when end user application supports Kerberos authentication, but the back-end service does not.


Before you start configuration, you must have API Gateway installed on any machine with access to the Windows Domain Controller. The machine does not have to be a Windows machine that is part of the Windows Domain.

Configuration process

The configuration process for API Gateway has the following steps:

  1. Configure a user account in Active Directory
  2. Configure Kerberos principal
  3. Configure API Gateway policy

The most common client application in this scenario is a browser, so this example focuses on that. For instructions on how to configure your browser, see Configure your browser to authenticate to API Gateway

The connection between the client application and API Gateway acting as the Kerberos service is by default unsecured. For security reasons, it is recommended to enable SSL/TLS connection in the Kerberos service. SSL/TLS is configured in the SSL port on the Kerberos service, but you must also configure your browser separately to use SSL/TLS connection. For more details, see Configure browser authentication over SSL/TLS.

Example names

In this example, a client application supporting Kerberos connects to the Kerberos service ServiceGateway running on the host machine gateway.axway.com connects to an existing back-end service. You can use the example names, or replace them with names of your own.

The example Kerberos realm name AXWAY.COM is specific to the examples in this guide. Replace the example realm name with your own realm name.

Related Links