Front-Side Kerberos configuration
17.6.3. Front-Side Kerberos configuration (one-shot flow)

Steps 1–5 in this section describes how the Airlock Gateway (WAF) configuration must be adapted in order to use Front-side Kerberos with the One-Shot authentication flow. The second half of steps describes how to use the previously configured Kerberos setting to finalize the one-shot flow in Airlock IAM.

Step 1 – Create a back-end group for IAM

  • 1.
    Sign in to Airlock Gateway (WAF) Configuration Center as an admin
  • 2.
    To add a new Back-end Group, go to Application Firewall > Reverse Proxy and click on the + sign at the top of the Back-end Group column.
  • 3.
    Enter a name for the Back-end Group Name, select the correct protocol, enter a Hostname and the Port as well.

Step 2 – Create a mapping for IAM

  • 1.
    To add a new Mapping, go to Application Firewall > Reverse Proxy and click on the + sign at the top of the Mapping column and afterward choose New from template.
  • 2.
    On the Mapping template screen, select the Airlock IAM Mapping template.
  • 3.
    Switch to the tab Response Actions and disable the action (default) Remove Negotiate Header.
  • 4.
    Switch to the tab Allow Rules and enable the rule One-Shot Functionality.
  • 5.
    Connect the new Airlock IAM Mapping with the Virtual Host the web application Mapping is connected to.
  • 6.
    Connect the new Airlock IAM Mapping with the IAM Back-end Group.

Step 3 – Customize the application mapping

  • 1.
    Go to Application Firewall > Reverse Proxy and edit the Mapping of the web application for which Front-side Kerberos should be used.
  • 2.
    Configure the Denied access URL point to the correct instance of Airlock IAM. For the IAM auth instance the URL would be /auth/login-oneshot
  • 3.
    Select One-Shot in the Authentication flow drop-down list.
  • 4.
    Enter the credential Airlock IAM sets after a successful authentication under Restricted to roles.

Step 4 – Configure the maximal allowed HTTP request header size

  • 1.
    Go to Expert Settings > Security Gate / Apache
  • 2.
    Enable the Apache Expert Settings and configure the following setting:
  • # Increase the maximal allowed HTTP request header size
    LimitRequestFieldSize 16384
    • Please ensure that the Airlock Gateway (WAF) setting configured in this step is identical or smaller than the one configured in Airlock IAM. How this can be achieved is described in HTTP Request Header Size.
    • For further information about issues caused because of wrong configuration of the allowed HTTP request header size, check HTTP Request Header Size.

Step 5 – Activate Airlock Gateway (WAF) configuration

After going through the previous steps, activate the new configuration.

  • 1.
    Click on the Activate button in the Airlock Gateway (WAF) Configuration Center.

Step 6 – Create krb5.conf file in Airlock IAM

Create a /etc/krb5.conf file and configure it with the correct values for the Windows domain.


default_realm = AIRLOCK.COM

kdc =
default_domain = AIRLOCK.COM

.airlock.local = AIRLOCK.COM
  • The uppercase values are settings to describe the Kerberos realm, while the lowercase values are DNS settings. Configure the settings in the same upper-/lowercase as illustrated above.
  • To make the new settings from the /etc/krb5.conf file active, Airlock IAM must be restarted.

Step 7 – Copy the keytab file

Copy the keytab file created earlier on the Active Directory Domain Controller into the IAM instance directory (e.g. /home/airlock/iam/instances/auth/).

Step 8 – Create a One-Shot configuration for authentication flow One-Shot

  • 1.
    Sign in to Airlock IAM Adminapp as an admin
  • 2.
    Open the Config Editor
  • 3.
    Go to Login Application >> Airlock One-Shot Authentication
  • 4.
    Create a new Target Application/Service
  • 5.
    Configure the Kerberos SPNEGO Extractor as the Credential Extractor
  • 6.
    Create a new Kerberos Config
  • 7.
    Configure the Keytab File which has been copied into the instance directory previously (e.g. instances/auth/
  • 8.
    Configure the Service Principal (e.g. HTTP/
  • 9.
    Go back and continue editing the Target Application/Service
  • 10.
    It is recommended to configure a Lookup and Accept Authenticator as the Authenticator to check whether the user is locked or not and to potentially load context data/roles.
  • 11.
    Go back and continue editing the Target Application/Service
  • 12.
    Configure the Kerberos SPNEGO Error Mapper as the Failure Responses
  • 13.
    Go back and continue editing the Target Application/Service
  • 14.
    Click on the Activate button in the Airlock IAM Config Editor.

If multiple Service Principal (SPN) have to be supported, either create a new Kerberos Config per SPN (using contexts and with a context extractor to choose the correct context) or specify "*" as the SPN to simply accept all SPNs contained in the keytab.

From a Front-side Kerberos perspective, these are all the necessary settings. Nevertheless, ensure that all other important settings for a One-Shot Target Application are set.