Modernizing Kerberos-Based Applications with SAML or OIDC Using Kerberos Constrained Delegation

Kerberos Still Powers Critical Enterprise Applications
Despite the rapid shift toward cloud identity, Kerberos remains deeply embedded inside Fortune 500 and large enterprise environments.
It continues to power authentication for:
- Internal IIS/.NET line-of-business applications
- Windows Integrated Authentication (IWA) portals
- SharePoint on-premises
- Custom internal web apps tied to Active Directory
- SAP NetWeaver / SAP Portal configured with SPNEGO
These systems were built for a world where:
- Users were on internal, trusted networks
- Devices were domain-joined
- Authentication relied on Kerberos tickets issued by Active Directory
But today’s identity strategy looks very different:
- Microsoft Entra ID, Okta, and Ping are becoming the primary identity providers
- MFA is required for regulatory compliance (NYDFS, PCI DSS 4.0, CMMC, DORA, SOX)
- Users work remotely, often from non-domain-joined devices
- Organizations are adopting Zero Trust and Conditional Access policies
This creates a modernization bottleneck:
“Our apps depend on Kerberos, but our enterprise needs SAML/OIDC + MFA.”
Rewriting or replacing these critical applications is risky, expensive, and often not feasible.
Datawiza Access Proxy: Bridging Modern Identity with Kerberos Using Constrained Delegation
Datawiza Access Proxy provides a drop-in modernization layer that connects cloud identity with Kerberos-onlyapplications — without touching application code.
This is done through Kerberos Constrained Delegation (KCD).
With Datawiza, you get:
- Users authenticated by SAML/OIDC (Entra ID, Okta, Ping)
- Full support for MFA, Conditional Access, device compliance
- Backend apps continuing to use Kerberos authentication as-is
- Zero code changes
- Deployment in hours
Datawiza becomes the secure “translation layer” between the modern identity world and Kerberos-based legacy systems.
How It Works: SAML/OIDC Authentication plus KCD Ticket Delegation

Here is the exact sequence for Datawiza’s Kerberos modernization pattern:
1. User accesses the application
DNS routes the request to Datawiza Access Proxy rather than the backend server.
2. Datawiza initiates SAML/OIDC authentication
Datawiza is configured as:
- a SAML Service Provider, or
- an OIDC client
Users are redirected to Entra ID, Okta, or Ping for login.
3. User completes MFA and Conditional Access
The identity provider enforces:
- MFA
- Risk-based sign-in
- Device posture policies
- Step-up authentication
4. IdP issues a SAML/OIDC token to Datawiza
Datawiza validates the token and extracts the user identity.
5. Datawiza performs Kerberos Constrained Delegation
Using S4U2Self and S4U2Proxy:
- Datawiza’s AD service account obtains a Kerberos ticket on behalf of the user
- The ticket is valid for the backend app’s Kerberos SPN
6. Datawiza presents the Kerberos service ticket to the legacy app
The backend app sees a standard Negotiate (Kerberos) request — exactly what it expects.
7. The application continues working with no changes
Authorization continues using existing:
- AD group membership
- Kerberos identity
- Role-based access control
The app never needs to support SAML, OIDC, or MFA.
Why Kerberos Constrained Delegation Is the Right Modernization Path
✅ No modifications to legacy code
The backend remains untouched, relying on the same Kerberos logic it was built with.
✅ Full access to modern cloud identity
Users authenticate through:
- Entra ID
- Okta
- Ping
- Cisco Duo
- Or others
using SAML/OIDC and MFA.
✅ Zero Trust + Conditional Access for legacy apps
Datawiza enables:
- Device trust
- IP/location restrictions
- Risk scoring
- Step-up MFA
- Browser session controls
✅ Works for remote and hybrid workers
Domain-join is no longer required. VPN dependence is reduced or removed.
✅ Supports gradual AD to Cloud Identity migration
KCD allows AD and cloud identity to coexist while apps continue working.
Applications That Benefit Most from Datawiza + KCD
Particularly strong fits include:
- Internal IIS/.NET apps using Windows Authentication
- On-prem SharePoint
- Custom intranet portals built on AD
- SAP NetWeaver / Portal with SPNEGO
- Internal dashboards and reporting tools tied to AD
For applications that do not use Kerberos (Oracle EBS, PeopleSoft, JDE), Datawiza supports alternate methods (headers, form SSO, JWT injection, etc.).
Security Benefits for Enterprises
✔️ MFA everywhere
Even apps that never supported MFA now benefit from modern strong authentication.
✔️ Reduced attack surface
KCD tightly restricts which service can obtain delegated tickets.
✔️ Cloud identity visibility
Every login is logged by Entra/Okta/Ping — including legacy app access.
✔️ Compliance-ready
Meets NYDFS, PCI DSS 4.0, FFIEC, CMMC, SOX, DORA MFA requirements.
Business Impact: Modern Identity in Days, Not Years
Datawiza eliminates the need to:
- Rewrite authentication logic
- Replace stable legacy applications
- Create custom SAML/OIDC integrations
- Maintain parallel identity stacks
This allows enterprises to modernize at the speed the business demands.
Conclusion: Datawiza Unlocks the Future of Identity for Kerberos Applications
Kerberos-based applications may be old, but they’re still mission-critical.
With Datawiza Access Proxy and KCD, enterprises can:
- Add SAML/OIDC and MFA to legacy apps
- Adopt Entra ID, Okta, and Ping without rewriting code
- Apply Zero Trust policies to Kerberos systems
- Support remote users and hybrid environments
- Modernize identity in days instead of years
Datawiza enables modern identity for legacy applications — safely, quickly, and without disruption.
Ready to modernize your Kerberos-based applications?
👉 Book a demo: https://www.datawiza.com/demo 👉 Contact us: contact@datawiza.com



