Affects product
- ●Airlock Gateway
Question or problem
Airlock Gateway requests Kerberos tickets on behalf of a user from the Active Directory domain controllers. In a cross-domain setup, multiple domain controllers could be involved.
With DNS requests Airlock Gateway figures out the correct domain controller to request the Kerberos ticket. This requires that Airlock Gateway has a DNS server configured which can resolve the DNS SRV requests to determine the appropriate Active Directory domain and domain controllers.
Procedure-related prerequisites
- ●You need to be logged in as admin in the Airlock Gateway Configuration Center.
Instruction
- Test preparation:
- 1.Go to: System Setup >> Network Services.
- Test execution and verification:
- 1.Verify the following:
- ●The configured DNS server resolves the DNS SRV requests.
- ●Run the tool airlock-test-kerberos with the parameter -v and test with the involved user, system user and back-end. The output shows that the DNS requests could be resolved. An example of a successful response is shown below:
- The verification steps from the above were successful.
Sending DNS SRV query for _kerberos._udp.INT.VIRTINC.COM. SRV answer: 0 100 88 "srv-dc1.int.virtinc.com." Sending DNS SRV query for _kerberos._tcp.INT.VIRTINC.COM. SRV answer: 0 100 88 "srv-dc1.int.virtinc.com." Resolving hostname srv-dc1.int.virtinc.com. Resolving hostname srv-dc1.int.virtinc.com.
- In case of failure:
- ●Ensure that the configured DNS server can resolve the DNS SRV requests to determine the appropriate Active Directory domain and domain controller.
- ●Either configure another DNS server or ensure that the required DNS records are available in the DNS server.