The following image shows the basic steps to authenticate users with Front-side Kerberos authentication against Airlock IAM:

Frontside Kerberos

  • 1.
    The user requests access to the back-end application Web App A which is protected by Airlock Gateway (WAF). This web application is accessible through the virtual host a.airlock.com. Authentication enforcement is configured on Airlock Gateway (WAF). Since the user is not yet authenticated and authentication flow One-Shot is configured, the request is passed to Airlock IAM.
  • 2.
    Airlock IAM receives the request from 1). Because it does not contain a Kerberos ticket, Airlock IAM asks for such a ticket with a HTTP 401 response.
  • 3.
    Now the client requests a Kerberos service ticket for the service a.airlock.com from the Active Directory Domain Controller.
  • 4.
    The client repeats the request from 1) and appends the Kerberos service ticket he received in 3) from the Active Directory Domain Controller. The user is still not authenticated, so the request is passed again to Airlock IAM.
  • 5.
    Airlock IAM receives the request which has now a Kerberos service ticket appended and verifies whether the ticket is valid or not and extracts information from it.
  • 6.
    In case that the user has sent a valid Kerberos ticket, Airlock IAM additionally validates the user through LDAPS in the Active Directory. If necessary, additional group membership checks etc. could be performed at this point. After the user has been authenticated successfully, Airlock IAM sets the necessary Airlock Gateway (WAF) credentials and the information for identity propagation to the target application.
  • 7.
    Since the user is now authenticated, the original request is forwarded to the desired back-end application. From now on, the user's session is authenticated, so further requests are passed directly to the back-end application.
  • 8.
    Optional: A kerberized back-end application is also supported via Airlock Gateway (WAF) Back-side Kerberos.
  • Please note that this example illustrates the One-Shot authentication flow. In case of the Redirect authentication flow, the sequence looks a bit different.
  • The Airlock IAM Front-side Kerberos authentication feature allows protecting web applications, which do not understand Kerberos in any way (not kerberized web applications). In case that the web application itself is also kerberized, identity propagation could be realized with Airlock Gateway (WAF) Back-side Kerberos SSO.