Affects product
- ●Airlock Gateway
Question or problem
Although everything seems to be configured correctly, Back-side Kerberos SSO does not work. A deeper analysis of the network is required to see which packets are sent and received by Airlock Gateway.
Procedure-related prerequisites
- ●You need to be logged in as root on the Airlock Gateway console.
Instruction
- Test preparation:
- 1.Record a tcpdump on Airlock Gateway containing the following traffic:
- -Kerberos (port 88) from and to the Active Directory domain controllers.
- -HTTP and HTTPS from and to the back-end server.
The Techzone article (Ergon) Techzone - Tcpdump describes how to record a tcpdump on Airlock Gateway.
Ensure that Airlock Gateway is configured to record the SSL keys as well, in order to decrypt the SSL/TLS traffic later on. Otherwise, an analysis might be impossible.
- Test execution and verification:
- 1.Open the recorded tcpdump in Wireshark.
- 2.Configure Wireshark to use the SSL key log file to decrypt the traffic.
- 3.Verify the following:
- -The HTTP request sent to the back-end contains a Kerberos ticket for the correct SPN.
- -The HTTP request sent to the back-end contains the correct host header.
- -There are no obvious Kerberos problems in the tcpdump.
- -Search in Airlock Gateway for suspicious log entries. Match them by using the WR-SG-CONNTRACE log message to the corresponding packets in the tcpdump.
- The verification steps from the above were successful.
- In case of failure:
- ●Kerberos tickets with the error KRB5KRB_ERR_GENERIC are in the tcpdump could indicate a timing synchronization.