Kerberos SSO Connector: On-Premise Active Directory Integration

1. Introduction

The Flowace Kerberos SSO Connector is a lightweight service that runs inside your own network. It creates a secure, audited bridge between your Active Directory (AD) domain, your domain-joined employee machines, and the Flowace cloud, with no credential material ever leaving your infrastructure.

This document helps IT and security leaders understand what on-premises AD integration is, who it's a good fit for, how it works at a high level, and what a typical adoption looks like. A detailed deployment guide is provided to customers who decide to proceed.

2. Who Should Consider This

• On-premises AD integration suits organisations of any size that run their own Active Directory. It is the right choice for customers who:
• Require that Active Directory credentials and keytab material never leave their network perimeter.
• Operate under compliance frameworks, whether global (SOC 2, ISO 27001, HIPAA) or regional (RBI, DPDP), that mandate on-premises identity handling.
• Want silent, Kerberos-based sign-in on domain-joined Windows machines, with no passwords and no additional MFA prompts for Flowace.
• Prefer outbound-only integrations and do not want to open inbound firewall ports for a SaaS vendor.
• Have an existing on-premises or hybrid AD deployment and at least one person who can install and run a Windows service.

Note:  If you use a cloud-only identity provider (Entra ID, Okta, Google Workspace), refer to the Flowace Cloud SSO guide or contact support@flowace.ai for the appropriate next steps.

3. How It Works:

The connector is a small service installed on a domain-joined Windows Server inside your network. Employee machines authenticate to the connector using standard Kerberos (the same mechanism used by Windows, IIS, and file shares). The connector validates the Kerberos service ticket against a keytab that you issue, signs a short-lived identity payload with a private key that never leaves your server, and forwards only that signed identity to the Flowace cloud.

Key security properties

• The connector runs entirely within your network perimeter.
• No credential material (keytab or private key) ever leaves your infrastructure.
• The connector only makes outbound HTTPS calls to Flowace. No inbound firewall rules are required.
• Each resource (service account, keytab, private key, configuration) is isolated so a compromise of one component does not affect the others.
• The service account used in AD requires no elevated privileges once it is created.

4. What Flowace Provides vs. What You Provide

Deployment is a shared activity. The split of responsibilities is as follows:

5. Getting Started

A typical engagement spans a few business days from initial call to handover. The process is the same for smaller IT teams and larger enterprise environments, structured across the phases below:

1. Initial discussion: a 30-minute call with your IT and security teams to confirm that on-premises AD integration is the right fit and to walk through the responsibility split above.
2. Prerequisites phase: your team provisions the Windows Server, creates the AD service account, registers the SPN, and generates the keytab. This typically takes a few business days, depending on your internal approval process.
3. Deployment session: a joint working session (usually 2 to 3 hours) in which the Flowace engineering team walks your administrator through the full deployment.
4. Verification and handover: end-to-end tests from a domain-joined employee machine, followed by monitoring guidance and a runbook handover.

Next step

Contact support@flowace.ai or your Flowace account manager to schedule the initial discussion and receive the detailed deployment guide. Please mention you are interested in On-Premises AD Integration so we can route you to the right team members.

© Flowace Technologies Pvt Ltd | flowace.ai

Updated on: 27/04/2026