How to add Kerberos Authentication to Your Site With Minimum Efforts

2 min readJun 9, 2020

Motivation

Kerberos authentication allows users to authenticate seamlessly to trusted sites. If users already authenticated in a corporate network, there is no need to authenticate to other applications. They just use previously entered credentials. In this article, we will set up Kerberos authentication with your application in several minutes. As an authentication service, we will use Gortas Open Source authentication service.

Windows Server Setup

In your Windows Server create Kerberos account, for example gortasKerberos that will be used for Kerberos authentication. Enable checkboxes User cannot change password и Password never expires.

Then create keytab file gortasKerberos.keytab with ktpass command

ktpass -out gortasKerberos.keytab -princ HTTP/auth-service-domain@KERB.DOMAIN -pass +rndPass -maxPass 256 -mapuser gortasKerberos -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL

In this command

KERB.DOMAIN - Kerberos domain name, should be uppercase, change it to yours.
gortas.domain - Gortas authenticaion service domain name, change it to yours.

Gortas service and Kerberos should be on different domains, otherwise, Kerberos authentication won’t work

Gortas Setup

Create a config file for auth-service with the following contents: gortas-kerberos.yaml:

Pay attention to server.cors.allowedOrigins config parameter, there should be your Gortas service domain.

Then put keytab file to any directory add volume with the kaytab to gortas in docker-compose.yaml, so the service could read the file.

Entire docker-compose.yaml will look like this:

Docker-compose file has three services

gortas - gortas authentication service itself, runs on 8080 port
gotras-ui - frontend for the authentication service runs on 3000 port
mongo - MonogDB for users and services storage

Build and run services with docker-compose:

docker-compose up --build

Testing Authentication

Open client application in your browser http://gortas.domain:3000, you should see successful authentication dialog

Or you can use your own javascript. For example:

fetch('http://gortas.domain:8080', {
        method: 'POST',
        mode: 'cors', 
        cache: 'no-cache', 
        credentials: 'include',
        headers: {
            'Content-Type': 'application/json',
        },
        redirect: 'follow', // manual, *follow, error
        referrer: 'no-referrer', // no-referrer, *client
    })
    .then(response => console.log(response.json()));

JWT with authenticated user data returned in GortasSession cookie header

maximthomas/gortas

(Golang Authentication Service) is an API based authentication service, allows adding authentication to your site or…

github.co