Kerberos Authentication

Kerberos Authentication Requires additional configuration on both Active Directory and Client Computers.

You can find the following information provided by Microsoft. https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview

Configuring Active Directory

We need an Active Directory service user and Keytab file for configuration.

Creating a User

You need to create a service user for the Kerberos Authentication process. Please change parameters for your requirements.

Property	Value	Description
Name	`svc-monofor-krb`
UserPrincipalName	`svc-monofor-krb@YOUR-DOMAIN.COM`
AccountPassword	`YourP@ssw0rd123!Secure`	Use unique generated password
Enabled	`true`
PasswordNeverExpires	`true`	Password should be never expire
CannotChangePassword	`true`
Description	Service account for Monofor Kerberos Authentication	Description of the user

Creating user with Powershell Script

You can use following Powershell on Active Directory machine to create user.

POWERSHELL

New-ADUser -Name "svc-monofor-krb" `
    -SamAccountName "svc-monofor-krb" `
    -UserPrincipalName "svc-monofor-krb@YOUR-DOMAIN.SH" `
    -AccountPassword (ConvertTo-SecureString "YourP@ssw0rd123!Secure" -AsPlainText -Force) `
    -Enabled $true `
    -PasswordNeverExpires $true `
    -CannotChangePassword $true `
    -Description "Service account for Monofor Kerberos Authentication"

Now we are gonna set an SPN for the created user. Bot with realm and without realm.

POWERSHELL

setspn -S HTTP/your-account-app.domain.com svc-monofor-krb
setspn -S HTTP/your-account-app.domain.com@domain-fqdn.com svc-monofor-krb

setspn -L svc-monofor-krb

Now, we are gonna set user’s Supported Encryption Type AES-256.

POWERSHELL

Set-ADUser -Identity "svc-monofor-krb" -Replace @{
    "msDS-SupportedEncryptionTypes" = 24
}

You can validate created information with the following Powershell command.

CODE

Write-Host "`nAccount Details:" -ForegroundColor Cyan
Get-ADUser "svc-monofor-krb" -Properties * | 
    Select-Object Name, 
    SamAccountName, 
    UserPrincipalName, 
    ServicePrincipalNames, 
    Enabled, 
    PasswordNeverExpires, 
    PasswordExpired,
    LockedOut,
    CannotChangePassword,
    @{Name='EncryptionTypes';Expression={$_.'msDS-SupportedEncryptionTypes'}}

Example output should be like following;

CODE

# Example Output
Name                  : svc-monofor-krb
SamAccountName        : svc-monofor-krb
UserPrincipalName     : HTTP/your-account-app.domain.com@DOMAIN-FQDN.COM
ServicePrincipalNames : {HTTP/your-account-app.domain.com, HTTP/your-account-app.domain.com@DOMAIN-FQDN.COM}
Enabled               : True
PasswordNeverExpires  : True
PasswordExpired       : False
LockedOut             : False
CannotChangePassword  : True
EncryptionTypes       : 24

Creating and Exporting a Keytab File as Base64

Kerberos Authentication also requires a keytab file. For more information of keytab file, please read the documentation provided by MIT.

https://web.mit.edu/kerberos/krb5-devel/doc/basic/keytab_def.html

To create a keytab file, we are gonna use tool named ktpass.

CODE

# Keytab oluşturun
ktpass -princ HTTP/your-account-app.domain.com@DOMAIN-FQDN.COM `
       -mapuser svc-monofor-krb@DOMAIN-FQDN.COM `
       -pass P@ssw0rd123!Secure `
       -out svc-monofor-krb.keytab `
       -crypto AES256-SHA1 `
       -ptype KRB5_NT_PRINCIPAL

# Keytab'ı base64'e çevirin
$keytabBytes = [System.IO.File]::ReadAllBytes("svc-monofor-krb.keytab")
$keytabBase64 = [System.Convert]::ToBase64String($keytabBytes)
Write-Host $keytabBase64

Example Output should be like following. Please copy the result for the upcoming configuration.

CODE

# Output
BQIAAABWAAIACk1PTk9MQUIuU0gABEhUVFAAE2ludGVybmFsLm1vbm9sYWIuc2gAAAABAAAAAAQAEgAgq9YJTnvZJGMZB6Zs8EgMt38ds7JyZjT46HG9Bf7i/Es=

Configuring a Windows Client

Please add Trusted-Site configuration for your account application domain name. You can use Group Policy Management or individually add account url directly to the machine.

For Windows machines, Edge, Chrome, Firefox, and Internet Explorer will automatically read the value of Trusted Websites and will share Kerberos Ticket with the Website.

Configuring a macOS Client

Before you continue, please read following documentations provided by Apple.

https://support.apple.com/guide/deployment/kerberos-sso-extension-depe6a1cda64/web

For macOS, every browser needs additional configuration for the Kerberos Authentication.

Safari

Open the terminal and execute the following commands. Do not forget to change your-account-app.domain.com.

CODE

defaults write com.apple.Safari 'com.apple.Safari.ContentPageGroupIdentifier.WebKit2HTTPSUpgradeEnabled' -bool false
defaults write com.apple.Safari AuthenticationServerTrustedServers -string "your-account-app.domain.com"
defaults write com.apple.Safari AuthenticationServerWhitelist -string "your-account-app.domain.com"

You need to restart your Safari.

Chrome

Open the terminal and execute the following commands. Do not forget to change your-account-app.domain.com.

CODE

# You can use the full account application url or wildcard for your all domain prefixes.
defaults write com.google.Chrome AuthServerAllowlist "*.your-domain.com"
defaults write com.google.Chrome AuthNegotiateDelegateAllowlist "*.your-domain.com"

You need to restart your Chrome Browser.

Other Browsers

Please check other Browser’s Documentation for adding your account application url as Trusted Web Sites.