Example

Airlock IAM authenticates the user and sets after successful authentication through the Control API the Kerberos user to propagate to the back-end server.

The following example helps to explain which Kerberos user is propagated to the back-end.

Airlock Gateway internal logic to choose the Kerberos user

  • The most qualified Kerberos user is used. This means, a Kerberos user for a specific Mapping is preferred over the one without a Mapping defined.

Airlock Gateway configuration

The following configuration is active on Airlock Gateway.

Mapping Name
Back-end Group
(Active Directory domain)
Exchange_2016_OWA
int.virtinc.com
Exchange_2019_OWA
int.virtinc.com
Web_application
airlock.academy

Kerberos users set through Control API

The following Kerberos users are set by Airlock IAM through Control API.

Username
Windows Domain
Mapping Name
UserA
int.virtinc.com
UserB
int.virtinc.com
Exchange_2019_OWA
Admin
airlock.academy
Web_application
  • The following users would be propagated to the back-end server:
  • For Mapping Exchange_2016_OWA: UserA@int.virtinc.com will be propagated.
    Because this is the most qualified Kerberos user.
  • For Mapping Exchange_2019_OWA: UserB@int.virtinc.com will be propagated.
    The Mapping-specific Kerberos user is the most qualified.
  • For Mapping Web_application: Admin@airlock.academy will be propagated.
    The Mapping-specific Kerberos user is the most qualified.
  • This setup is only possible with Cross-domain setup.

Airlock Gateway can do KCD with a Single domain setup or a Cross-domain setup.