Datawiza
Back to blog
November 28, 2025BlogIndustry

Modernizing Kerberos Applications with Microsoft Entra ID Using Kerberos Constrained Delegation

datawiza entra id kerberos

Introduction

Many organizations still rely on critical applications that use Kerberos and Windows Integrated Authentication. These systems were built for a world of domain-joined devices, internal networks, and on-prem Active Directory—not cloud identity, MFA, or remote access.

At the same time, Microsoft Entra ID is rapidly becoming the primary identity provider, and security teams need MFA, Conditional Access, risk-based access, and Zero Trust policies applied consistently across all applications.

This creates a gap:

The application requires Kerberos, but the organization requires Entra ID and MFA.

Rewriting or replacing these Kerberos-based applications can take months or years, slowing down modernization efforts. Datawiza solves this with a lightweight, drop-in approach.

Bridging Kerberos Apps with Entra ID Using Kerberos Constrained Delegation

Datawiza Access Proxy acts as a bridge between Entra ID and Kerberos-based applications by combining:

  • SAML/OIDC authentication with Entra ID
  • Kerberos Constrained Delegation (KCD) to the backend application

This allows users to authenticate with Entra ID and MFA, while the application continues receiving a Kerberos service ticket—just as it expects.

No code changes. No rewrites. No replacements.

How It Works

1. User accesses the legacy Kerberos application

Traffic is routed to Datawiza Access Proxy instead of directly to the app.

2. Datawiza redirects the user to Entra ID

Datawiza registers as a SAML/OIDC application in Entra ID.

3. User completes login, MFA, and Conditional Access

Entra ID enforces strong authentication and Zero Trust policies.

4. Datawiza obtains a Kerberos ticket using KCD

Its AD service account requests a Kerberos ticket on behalf of the user (S4U2Self + S4U2Proxy).

5. Datawiza sends the Kerberos ticket to the backend

The app sees a regular Kerberos-authenticated request.

6. The application continues working unchanged

Existing AD authorization models (groups, roles) continue to function as-is.

Benefits

Add MFA and Conditional Access to Kerberos apps

Entra ID enforces strong authentication before Datawiza obtains a Kerberos ticket.

Support remote and non-domain-joined users

Kerberos apps become accessible from anywhere, securely.

Avoid rewriting or replacing legacy systems

Applications remain stable and unchanged.

Reduce dependency on AD FS, VPN, and domain join

Modern authentication replaces legacy infrastructure requirements.

Accelerate migration to Entra-first identity

A safe modernization path without disrupting mission-critical applications.

Where This Helps Most

Datawiza + Entra ID + KCD is ideal for:

  • Internal IIS/.NET applications
  • On-prem SharePoint
  • Custom intranet portals that depend on Windows Authentication
  • SAP NetWeaver / SAP Portal with Kerberos
  • Internal dashboards and reporting tools

If the application uses Kerberos, Datawiza can modernize it.

Conclusion

Datawiza enables organizations to adopt Entra ID, MFA, and Conditional Access while maintaining full compatibility with Kerberos-based applications. Entra ID handles modern identity; Datawiza handles Kerberos Constrained Delegation; and the application continues working exactly as before.

This dramatically accelerates Entra ID adoption and reduces modernization risk—without touching application code.

Datawiza is Easy to Get Started

Sign up to secure your AI agents and critical enterprise apps

Try Datawiza