KB - Network analysis for Back-side Kerberos SSO

Affects product

  • Airlock Gateway

Question or problem

Although everything seems to be configured correctly, Back-side Kerberos SSO does not work. A deeper analysis of the network is required to see which packets are sent and received by Airlock Gateway.

Procedure-related prerequisites

  • You need to be logged in as root on the Airlock Gateway console.


  1. Test preparation:
  2. Record a tcpdump on Airlock Gateway containing the following traffic:
    • -Kerberos (port 88) from and to the Active Directory domain controllers.
    • -HTTP and HTTPS from and to the back-end server.

    The article Network traffic tracing using tcpdump and TShark/Wireshark describes how to record a tcpdump on Airlock Gateway.

    Ensure that Airlock Gateway is configured to record the SSL keys as well, in order to decrypt the SSL/TLS traffic later on. Otherwise, an analysis might be impossible.

  1. Test execution and verification:
  2. Open the recorded tcpdump in Wireshark.
  3. Configure Wireshark to use the SSL key log file to decrypt the traffic.
  4. Verify the following:
    • -The HTTP request sent to the back-end contains a Kerberos ticket for the correct SPN.
    • -The HTTP request sent to the back-end contains the correct host header.
    • -There are no obvious Kerberos problems in the tcpdump.
    • -Search in Airlock Gateway for suspicious log entries. Match them by using the WR-SG-CONNTRACE log message to the corresponding packets in the tcpdump.
  5. The verification steps from the above were successful.
  • In case of failure:
  • Kerberos tickets with the error KRB5KRB_ERR_GENERIC are in the tcpdump could indicate a timing synchronization.

Outdated links or content?

In case of outdated links or bad content, please let us know by sending an email with a short description of your findings. Thank you very much!