Requirements

This documentation has been tested and written for the following software releases and versions:

Requirements

Component
Requirement
Comments
Airlock Gateway
Version 7.3 or newer

Valid Airlock Gateway license with:
  • 2 or more free back-ends
  • Kerberos
None.
Airlock IAM
Version 7.2 or newer

Valid Airlock IAM license.
Active Directory
Functional level „Windows Server 2012“ or higher
Back-end
Windows Server 2012 or newer
The back-end web application must run on this operating system and be a member of the Active Directory Domain.

Medium – Although some functions might work with other Airlock Gateway, Airlock IAM, Airlock Microgateway, Airlock add-on modules and/or 3rd party software versions, it is highly recommended using the releases this documentation is based on.

Always install the latest bugfix release before proceeding.

Prerequisites

Component
Requirement
Comments
Active Directory Domain Controller
Domain administator permissions
Necessary for:
  • Create users
  • Grant user for Kerberos delegation
  • Configure Service Principal Name (SPN)
Back-end
Administrative permissions
Necessary for:
  • Enable Kerberos authentication
  • Configure application pool
Back-end
Supports Kerberos authentication
The Airlock Gateway propagates user's identity with Kerberos constrained delegation. This is done with the Kerberos Version 5 GSS-API (RFC 1964).
Therefore, the IIS web server must be configured for Kerberos authentication and support this protocol.
Network connection from
Airlock Gateway
to the Active Directory domain controllers:
  • UDP Port 88
  • TCP Port 88
to the back-end server:
  • HTTP/HTTPS to the listening port
For cross domain setups multiple domain controllers from different domains might be involved.
Time
synchronization
Time needs to be synchronized between:
  • Airlock Gateway
  • Airlock IAM
  • Active Directory domain controllers
  • Back-end server
Kerberos has strict time requirement. If the time is not synchronized within the configured time limits, authentication fails.