KB - Network analysis for Back-side Kerberos SSO

Affects product

  • Airlock Gateway

Question or problem

Although everything seems to be configured correctly, Back-side Kerberos SSO does not work. A deeper analysis of the network is required to see which packets are sent and received by Airlock Gateway.

Procedure-related prerequisites

  • You need to be logged in as root on the Airlock Gateway console.


  • Test preparation:
  • 1.
    Record a tcpdump on Airlock Gateway containing the following traffic:
    • -
      Kerberos (port 88) from and to the Active Directory domain controllers.
    • -
      HTTP and HTTPS from and to the back-end server.

    The Techzone article (Ergon) Techzone - Tcpdump describes how to record a tcpdump on Airlock Gateway.

    Ensure that Airlock Gateway is configured to record the SSL keys as well, in order to decrypt the SSL/TLS traffic later on. Otherwise, an analysis might be impossible.

  • Test execution and verification:
  • 1.
    Open the recorded tcpdump in Wireshark.
  • 2.
    Configure Wireshark to use the SSL key log file to decrypt the traffic.
  • 3.
    Verify the following:
    • -
      The HTTP request sent to the back-end contains a Kerberos ticket for the correct SPN.
    • -
      The HTTP request sent to the back-end contains the correct host header.
    • -
      There are no obvious Kerberos problems in the tcpdump.
    • -
      Search in Airlock Gateway for suspicious log entries. Match them by using the WR-SG-CONNTRACE log message to the corresponding packets in the tcpdump.
  • The verification steps from the above were successful.
  • In case of failure:
  • Kerberos tickets with the error KRB5KRB_ERR_GENERIC are in the tcpdump could indicate a timing synchronization.