Troubleshooting
KB - Verify the DNS configuration for Back-side Kerberos SSO
Affects product
- Airlock Gateway
Question or problem
Airlock Gateway requests Kerberos tickets on behalf of a user from the Active Directory domain controllers. In a cross-domain setup, multiple domain controllers could be involved.
With DNS requests Airlock Gateway figures out the correct domain controller to request the Kerberos ticket. This requires that Airlock Gateway has a DNS server configured which can resolve the DNS SRV requests to determine the appropriate Active Directory domain and domain controllers.
Procedure-related prerequisites
- You must be logged in as an admin in the Airlock Gateway Configuration Center.
Instruction
Test preparation:
- Go to: System Setup >> Network Services.
Test execution and verification:
- Verify the following:
- The configured DNS server resolves the DNS SRV requests.
- Run the tool airlock-test-kerberos with the parameter -v and test with the involved user, system user and back-end. The output shows that the DNS requests could be resolved. An example of a successful response is shown below:
Sending DNS SRV query for _kerberos._udp.INT.VIRTINC.COM. SRV answer: 0 100 88 "srv-dc1.int.virtinc.com." Sending DNS SRV query for _kerberos._tcp.INT.VIRTINC.COM. SRV answer: 0 100 88 "srv-dc1.int.virtinc.com." Resolving hostname srv-dc1.int.virtinc.com. Resolving hostname srv-dc1.int.virtinc.com.
- The verification steps from the above were successful.
Example
In case of failure:
- Ensure that the configured DNS server can resolve the DNS SRV requests to determine the appropriate Active Directory domain and domain controller.
- Either configure another DNS server or ensure that the required DNS records are available in the DNS server.
Further information and links
Outdated links or content?
In case of outdated links or bad content, please let us know by sending an email with a short description of your findings. Thank you very much!