Modernizing Kerberos Applications with Microsoft Entra ID Using Kerberos Constrained Delegation

Introduction
Many organizations still rely on critical applications that use Kerberos and Windows Integrated Authentication. These systems were built for a world of domain-joined devices, internal networks, and on-prem Active Directory—not cloud identity, MFA, or remote access.
At the same time, Microsoft Entra ID is rapidly becoming the primary identity provider, and security teams need MFA, Conditional Access, risk-based access, and Zero Trust policies applied consistently across all applications.
This creates a gap:
The application requires Kerberos, but the organization requires Entra ID and MFA.
Rewriting or replacing these Kerberos-based applications can take months or years, slowing down modernization efforts. Datawiza solves this with a lightweight, drop-in approach.
Bridging Kerberos Apps with Entra ID Using Kerberos Constrained Delegation
Datawiza Access Proxy acts as a bridge between Entra ID and Kerberos-based applications by combining:
- SAML/OIDC authentication with Entra ID
- Kerberos Constrained Delegation (KCD) to the backend application
This allows users to authenticate with Entra ID and MFA, while the application continues receiving a Kerberos service ticket—just as it expects.
No code changes. No rewrites. No replacements.
How It Works

1. User accesses the legacy Kerberos application
Traffic is routed to Datawiza Access Proxy instead of directly to the app.
2. Datawiza redirects the user to Entra ID
Datawiza registers as a SAML/OIDC application in Entra ID.
3. User completes login, MFA, and Conditional Access
Entra ID enforces strong authentication and Zero Trust policies.
4. Datawiza obtains a Kerberos ticket using KCD
Its AD service account requests a Kerberos ticket on behalf of the user (S4U2Self + S4U2Proxy).
5. Datawiza sends the Kerberos ticket to the backend
The app sees a regular Kerberos-authenticated request.
6. The application continues working unchanged
Existing AD authorization models (groups, roles) continue to function as-is.
Benefits
Add MFA and Conditional Access to Kerberos apps
Entra ID enforces strong authentication before Datawiza obtains a Kerberos ticket.
Support remote and non-domain-joined users
Kerberos apps become accessible from anywhere, securely.
Avoid rewriting or replacing legacy systems
Applications remain stable and unchanged.
Reduce dependency on AD FS, VPN, and domain join
Modern authentication replaces legacy infrastructure requirements.
Accelerate migration to Entra-first identity
A safe modernization path without disrupting mission-critical applications.
Where This Helps Most
Datawiza + Entra ID + KCD is ideal for:
- Internal IIS/.NET applications
- On-prem SharePoint
- Custom intranet portals that depend on Windows Authentication
- SAP NetWeaver / SAP Portal with Kerberos
- Internal dashboards and reporting tools
If the application uses Kerberos, Datawiza can modernize it.
Conclusion
Datawiza enables organizations to adopt Entra ID, MFA, and Conditional Access while maintaining full compatibility with Kerberos-based applications. Entra ID handles modern identity; Datawiza handles Kerberos Constrained Delegation; and the application continues working exactly as before.
This dramatically accelerates Entra ID adoption and reduces modernization risk—without touching application code.



