Front-Side Kerberos configuration (one-shot flow)

Steps 1–5 in this section describe how the Airlock Gateway (WAF) configuration must be adapted in order to use Front-side Kerberos with the One-Shot authentication flow. The second half of the steps describe how to use the previously configured Kerberos setting to finalize the one-shot flow in Airlock IAM.

Step 1 – Create a back-end group for IAM

  1. Sign in to Airlock Gateway (WAF) Configuration Center as an admin
  2. To add a new Back-end Group, go to Application Firewall > Reverse Proxy and click on the + sign at the top of the Back-end Group column.
  3. Enter a name for the Back-end Group Name, select the correct protocol, enter a Hostname and the Port as well.

Step 2 - Import a mapping for IAM

  1. In the mapping column, click the + button and choose New from template.
  2. The Mapping Templates list appears.
  3. In the section Airlock IAM, choose Download Mapping Templates.
  4. The latest Airlock IAM manual opens up in the browser.
  5. From the download table of the manual page, select and download the IAM Loginapp Template that matches with your Airlock Gateway version.
  6. Change back to the Airlock Gateway Configuration Center page and close the Mapping Templates list.
  7. In the mapping column, click the + button and choose Import.... Select and import the downloaded mapping template zip file.
  8. After the import has finished, the new mapping opens in edit mode.
  9. Switch to the tab Allow Rules and enable the rule Kerberos Functionality.
  10. Change back to the Reverse Proxy view.
  11. The new Airlock-IAM-Loginapp mapping is now shown in the Mapping column.
  12. Connect the Airlock-IAM-Loginapp mapping to the Virtual Host that is connected to the web application mapping.
  13. Connect the Airlock-IAM-Loginapp with the IAM Back-end Group.

Step 2 – Create a mapping for IAM

  1. To add a new Mapping, go to Application Firewall > Reverse Proxy and click on the + sign at the top of the Mapping column and afterward choose New from template.
  2. On the Mapping template screen, select the Airlock IAM Mapping template.
  3. Switch to the tab Response Actions and disable the action (default) Remove Negotiate Header.
  4. Switch to the tab Allow Rules and enable the rule One-Shot Functionality.
  5. Connect the new Airlock IAM Mapping with the Virtual Host the web application Mapping is connected to.
  6. Connect the new Airlock IAM Mapping with the IAM Back-end Group.

Step 3 – Customize the application mapping

  1. Go to Application Firewall > Reverse Proxy and edit the Mapping of the web application for which Front-side Kerberos should be used.
  2. Configure the Denied access URL point to the correct instance of Airlock IAM. For the IAM auth instance the URL would be /auth/login-oneshot
  3. Select One-Shot in the Authentication flow drop-down list.
  4. Enter the credential Airlock IAM sets after a successful authentication under Restricted to roles.

Step 4 – Configure the maximal allowed HTTP request header size

  1. Go to Expert Settings > Security Gate / Apache
  2. Enable the Apache Expert Settings and configure the following setting:
    3. # Increase the maximal allowed HTTP request header size
LimitRequestFieldSize 16384
    • Please ensure that the Airlock Gateway (WAF) setting configured in this step is identical or smaller than the one configured in Airlock IAM. How this can be achieved is described in HTTP Request Header Size.
    • For further information about issues caused because of wrong configuration of the allowed HTTP request header size, check HTTP Request Header Size.

Step 5 – Activate Airlock Gateway (WAF) configuration

After going through the previous steps, activate the new configuration.

  1. Click on the Activate button in the Airlock Gateway (WAF) Configuration Center.

Step 6 – Create krb5.conf file in Airlock IAM

Create a /etc/krb5.conf file and configure it with the correct values for the Windows domain.

/etc/krb5.conf

[libdefaults]
default_realm = AIRLOCK.COM

[realms]
AIRLOCK.LOCAL = {
kdc = dc.airlock.com
default_domain = AIRLOCK.COM
}

[domain_realm]
.airlock.local = AIRLOCK.COM
  • The uppercase values are settings to describe the Kerberos realm, while the lowercase values are DNS settings. Configure the settings in the same upper-/lowercase as illustrated above.
  • To make the new settings from the /etc/krb5.conf file active, Airlock IAM must be restarted.

Step 7 – Copy the *.keytab file

Copy the *.keytab file into the IAM instance directory (e.g. /home/airlock/iam/instances/auth/).

Step 8 – Create a One-Shot configuration for authentication flow One-Shot

  1. Sign in to Airlock IAM Adminapp as an admin
  2. Open the Config Editor
  3. Go to Login Application >> Airlock One-Shot Authentication
  4. Create a new Target Application/Service
  5. Configure the Kerberos SPNEGO Extractor as the Credential Extractor
  6. Create a new Kerberos Config
  7. Configure the Keytab File which has been copied into the instance directory previously (e.g. instances/auth/airlock.com.keytab)
  8. Configure the Service Principal (e.g. HTTP/a.airlock.com)
  9. Go back and continue editing the Target Application/Service
  10. It is recommended to configure a Lookup and Accept Authenticator as the Authenticator to check whether the user is locked or not and to potentially load context data/roles.
  11. Go back and continue editing the Target Application/Service
  12. Configure the Kerberos SPNEGO Error Mapper as the Failure Responses
  13. Go back and continue editing the Target Application/Service
  14. Click on the Activate button in the Airlock IAM Config Editor.

If multiple Service Principal (SPN) have to be supported, either create a new Kerberos Config per SPN (using contexts and with a context extractor to choose the correct context) or specify "*" as the SPN to simply accept all SPNs contained in the *.keytab file.

From a Front-side Kerberos perspective, these are all the necessary settings. Nevertheless, ensure that all other important settings for a One-Shot Target Application are set.