Section – Credential Propagation

credential propagation

Section NTLM passthrough

Airlock Gateway is enabled to handle HTTP connections with transparent client to back-end NTLM authentication. Since the authorization of NTLM authenticated connections is bound to the underlying TCP connection, the client and back-end connections are correlated as soon as a NTLM handshake is detected. These one-to-one bindings of client and back-end connections exist until client connections are closed. It is guaranteed that no back-end connection authenticated using NTLM is ever reused by another client connection.

NTLM has well-known security flaws. We strongly recommend adding additional security measures when exposing NTLM authentication to the Internet. If possible, Kerberos should be preferred over NTLM, as suggested by Microsoft.

NTLM passthrough cannot be used in combination with "Front-side NTLM" Authentication flow

Remove NTLM header and Error Page Replacement of 401 responses must be disabled for this feature to work.

Due to the persistent one-to-one binding of client and back-end connections, memory usage may be increased substantially.

SSO credential propagation

Defines if SSO credentials set by the control API will be forwarded to the back-end application or not. These credentials are typically set by the authentication service upon successful authentication. The checkbox indicates if the SSO credentials are mandatory or optional.

  • None: Even if Basic-Auth or NTLM credentials set by the control API are present, Airlock Gateway will not forward them to the back-end application. Access to the mapping is granted without any SSO credentials.
  • Basic-Auth: If Basic-Auth credentials set by the control API are present, Airlock Gateway will forward them to the back-end application.
  • Kerberos: If a Kerberos user is set by the control API, Airlock Gateway will acquire and send a service ticket to the back-end application.
  • NTLM: If NTLM credentials set by the control API are present, Airlock Gateway will forward them to the back-end application.
  • Credential mandatory: If checked and the selected SSO credentials are missing, access to the mapping is denied and Airlock Gateway will redirect to either the global or the custom denied access URL.