Airlock IAM authenticates the user and sets after successful authentication through the Control API the Kerberos user to propagate to the back-end server.
The following example helps to explain which Kerberos user is propagated to the back-end.
Airlock Gateway internal logic to choose the Kerberos user
- The most qualified Kerberos user is used. This means, a Kerberos user for a specific Mapping is preferred over the one without a Mapping defined.
Airlock Gateway configuration
The following configuration is active on Airlock Gateway.
Mapping Name | Back-end Group |
Exchange_2016_OWA | int.virtinc.com |
Exchange_2019_OWA | int.virtinc.com |
Web_application | airlock.academy |
Kerberos users set through Control API
The following Kerberos users are set by Airlock IAM through Control API.
Username | Windows Domain | Mapping Name |
UserA | int.virtinc.com | |
UserB | int.virtinc.com | Exchange_2019_OWA |
Admin | airlock.academy | Web_application |
- The following users would be propagated to the back-end server:
- For Mapping Exchange_2016_OWA: UserA@int.virtinc.com will be propagated.
Because this is the most qualified Kerberos user. - For Mapping Exchange_2019_OWA: UserB@int.virtinc.com will be propagated.
The Mapping-specific Kerberos user is the most qualified. - For Mapping Web_application: Admin@airlock.academy will be propagated.
The Mapping-specific Kerberos user is the most qualified.
This setup is only possible with Cross-domain setup.
Airlock Gateway can do KCD with a Single domain setup or a Cross-domain setup.