Example
Airlock IAM authenticates the user and sets after successful authentication through the Control API the Kerberos user to propagate to the back-end server.
The following example helps to explain which Kerberos user is propagated to the back-end.
Airlock Gateway internal logic to choose the Kerberos user
- The most qualified Kerberos user is used. This means, a Kerberos user for a specific Mapping is preferred over the one without a Mapping defined.
Airlock Gateway configuration
The following configuration is active on Airlock Gateway.
Mapping Name | Back-end Group |
Web_application_1 | int.virtinc.com |
Web_application_2 | int.virtinc.com |
Web_application_3 | airlock.academy |
Kerberos users set through Control API
The following Kerberos users are set by Airlock IAM through Control API.
Username | Windows Domain | Mapping Name |
UserA | int.virtinc.com | |
UserB | int.virtinc.com | Web_application_2 |
Admin | airlock.academy | Web_application_3 |
The following users would be propagated to the back-end server:
- For Mapping Web_application_1:
UserA@int.virtinc.com will be propagated.
This Kerberos user is the most qualified. - For Mapping Web_application_2:
UserB@int.virtinc.com will be propagated.
The Mapping-specific Kerberos user is the most qualified. - For Mapping Web_application_3:
Admin@airlock.academy will be propagated.
The Mapping-specific Kerberos user is the most qualified.