• Airlock Gateway

Although everything seems to be configured correctly, Back-side Kerberos SSO does not work. A deeper analysis of the network is required to see which packets are sent and received by Airlock Gateway.

• You need to be logged in as root on the Airlock Gateway console.

0. Test preparation:
1. Record a tcpdump on Airlock Gateway containing the following traffic:
• -Kerberos (port 88) from and to the Active Directory domain controllers.
• -HTTP and HTTPS from and to the back-end server.


The Techzone article (Ergon) Techzone - Tcpdump describes how to record a tcpdump on Airlock Gateway.

Ensure that Airlock Gateway is configured to record the SSL keys as well, in order to decrypt the SSL/TLS traffic later on. Otherwise, an analysis might be impossible.

0. Test execution and verification:
1. Open the recorded tcpdump in Wireshark.
2. Configure Wireshark to use the SSL key log file to decrypt the traffic.
3. Verify the following:
• -The HTTP request sent to the back-end contains a Kerberos ticket for the correct SPN.
• -The HTTP request sent to the back-end contains the correct host header.
• -There are no obvious Kerberos problems in the tcpdump.
• -Search in Airlock Gateway for suspicious log entries. Match them by using the WR-SG-CONNTRACE log message to the corresponding packets in the tcpdump.
4. The verification steps from the above were successful.

• In case of failure:
• Kerberos tickets with the error KRB5KRB_ERR_GENERIC are in the tcpdump could indicate a timing synchronization.

• (Ergon) Techzone - Tcpdump
• (Ergon) Techzone - Conntrace
• KB - Look for Kerberos log messages
• KB - Verify time synchronization