Requirements

This documentation has been tested and written for the following software releases and versions:

Requirements

Component

Requirement

Comments

Airlock Gateway

Version 7.3 or newer

Valid Airlock Gateway license with:

  • 2 or more free back-ends
  • Kerberos

None.

Airlock IAM

Version 7.2 or newer

Valid Airlock IAM license.

Active Directory

Functional level „Windows Server 2012“ or higher

Back-end

Windows Server 2012 or newer

The back-end web application must run on this operating system and be a member of the Active Directory Domain.

Medium – Although some functions might work with other Airlock Gateway, Airlock IAM, Airlock Microgateway, Airlock add-on modules and/or 3rd party software versions, it is highly recommended using the releases this documentation is based on.

Always install the latest bugfix release before proceeding.

Prerequisites

Component

Requirement

Comments

Active Directory Domain Controller

Domain administator permissions

Necessary for:

  • Create users
  • Grant user for Kerberos delegation
  • Configure Service Principal Name (SPN)

Back-end

Administrative permissions

Necessary for:

  • Enable Kerberos authentication
  • Configure application pool

Back-end

Supports Kerberos authentication

The Airlock Gateway propagates user's identity with Kerberos constrained delegation. This is done with the Kerberos Version 5 GSS-API (RFC 1964).

Therefore, the IIS web server must be configured for Kerberos authentication and support this protocol.

Network connection from
Airlock Gateway

to the Active Directory domain controllers:

  • UDP Port 88
  • TCP Port 88

to the back-end server:

  • HTTP/HTTPS to the listening port

For cross domain setups multiple domain controllers from different domains might be involved.

Time
synchronization

Time needs to be synchronized between:

  • Airlock Gateway
  • Airlock IAM
  • Active Directory domain controllers
  • Back-end server

Kerberos has strict time requirement. If the time is not synchronized within the configured time limits, authentication fails.