KB - Verify the DNS configuration for Back-side Kerberos SSO

Affects product

  • Airlock Gateway

Question or problem

Airlock Gateway requests Kerberos tickets on behalf of a user from the Active Directory domain controllers. In a cross-domain setup, multiple domain controllers could be involved.

With DNS requests Airlock Gateway figures out the correct domain controller to request the Kerberos ticket. This requires that Airlock Gateway has a DNS server configured which can resolve the DNS SRV requests to determine the appropriate Active Directory domain and domain controllers.

Procedure-related prerequisites

  • You need to be logged in as admin in the Airlock Gateway Configuration Center.

Instruction

  • Test preparation:
  • 1.
    Go to: System Setup >> Network Services.
  • Test execution and verification:
  • 1.
    Verify the following:
    • The configured DNS server resolves the DNS SRV requests.
    • Run the tool airlock-test-kerberos with the parameter -v and test with the involved user, system user and back-end. The output shows that the DNS requests could be resolved. An example of a successful response is shown below:
    • Sending DNS SRV query for _kerberos._udp.INT.VIRTINC.COM. 
      SRV answer: 0 100 88 "srv-dc1.int.virtinc.com." 
      Sending DNS SRV query for _kerberos._tcp.INT.VIRTINC.COM. 
      SRV answer: 0 100 88 "srv-dc1.int.virtinc.com." 
      Resolving hostname srv-dc1.int.virtinc.com. 
      Resolving hostname srv-dc1.int.virtinc.com.
  • The verification steps from the above were successful.
  • In case of failure:
  • Ensure that the configured DNS server can resolve the DNS SRV requests to determine the appropriate Active Directory domain and domain controller.
    • Either configure another DNS server or ensure that the required DNS records are available in the DNS server.

Further information and links