Front-Side Kerberos configuration in the Loginapp REST API

The following chapter describes how the Airlock Gateway and Airlock IAM configuration must be adapted in order to use front-side Kerberos authentication with the Loginapp REST UI.

Airlock IAM: Kerberos configuration file (krb5.conf)

Create a /etc/krb5.conf file and configure it with the correct values for the Windows domain.

/etc/krb5.conf

[libdefaults]
default_realm = AIRLOCK.COM

[realms]
AIRLOCK.LOCAL = {
kdc = dc.airlock.com
default_domain = AIRLOCK.COM
}

[domain_realm]
.airlock.local = AIRLOCK.COM
  • The uppercase values are settings to describe the Kerberos realm, while the lowercase values are DNS settings. Configure the settings in the same upper-/lowercase as illustrated above.
  • To make the new settings from theĀ /etc/krb5.conf file active, Airlock IAM must be restarted.

Copy the *.keytab file into the IAM instance directory (e.g. /home/airlock/iam/instances/auth/).

Airlock IAM: Flow configuration

The authentication flow for the corresponding target application(s) must contain the Kerberos Authentication Step. The step must be the first user-identifying step - typically it is the first step in the flow.

  1. Go to:
    Loginapp >> Authentication Flows >> affected target application >> Authentication Flow (create one if required)
  2. Add the Kerberos Authentication Step to the flow (usually as the first step) and configure it as follows.
  3. In property Keytab File, refer to the *.keytab file created above. File paths may be absolute or relative to the IAM directory where the instances directory is.
  4. In property Service Principal, specify the SPN (Service Principal Name) associated with Airlock IAM.
  5. Configure the properties as required. See property documentation in the Config Editor for further information.

Property Goto on Fallback allows you to jump to an alternative step in the flow and is thought to better support clients that cannot do Kerberos. It could, for example, ask for a username and a password, if Kerberos is not possible.

Airlock Gateway configuration

  • The following settings are relevant in the IAM mapping on Airlock Gateway:
  • In the Allow Rules list, enable the rule Kerberos Functionality.
  • The following settings are relevant in the mapping(s) of the target applications that should be accessed with front-side Kerberos authentication:
  • Set the Denied Access URL such that the target application with the Kerberos Authentication Step. Example: /auth/ui/app/auth/application/access/targetApp1

HTTP headers with Kerberos tickets may get large. It is therefore strongly recommended to increase the maximum HTTP request header size in Airlock Gateway:

  1. Go to Expert Settings > Security Gate / Apache
  2. Enable the Apache Expert Settings and configure the following setting:
    3. # Increase the maximal allowed HTTP request header size
LimitRequestFieldSize 16384
    • Please ensure that the Airlock Gateway (WAF) setting configured in this step is identical to or smaller than the one configured in Airlock IAM. How this can be achieved is described in HTTP Request Header Size.
    • For further information about issues caused because of wrong configuration of the allowed HTTP request header size, check HTTP Request Header Size.

Limitations

  • Note that the front-side Kerberos feature does not support falling back to NTLM (if the browser tries to do so).