Kerberos authentication with Authentik
In my homelab I have Authentik running as SSO (OIDC and SAML) platform for web based applications like Immich. I also have Active Directory running and already have integrated this so I can login with my Active Directory user on Authentik and have Windows computers that are joined in the Active Directory domain.
As next step I would like to set up SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) so I can use my existing Kerberos ticket on any computer to automatically login to Authentik, and thus any service authenticating via it.
Creating a Kerberos keytab
To get started Authentik first needs to have a Kerberos keytab file which represents the Authentik service. The Keytab file will contain a Kerberos principal for the hostname of Authentik HTTP/authentik.example.com@EXAMPLE.COM, here the principal contains the hostname of the Authentik service and the Kerberos realm (in my case of my Active Directory domain).
In Active Directory Kerberos principals get attached to an Active Directory account, either a user or computer account. It apparently most common to attach a Kerberos service principal to a user instead of a computer, for one because webservice can be setup for high availability across multiple servers (and thus computers in AD), in my case Authentik is running on Kubernetes where I have no AD computer identity.
So let’s first create a user for Authentik, I’ll put it under the Services OU instead of Users, make sure to change the password from Sup6r!Pa$s to something else:
New-ADUser -Name "SSO" -GivenName "SSO" -SamAccountName "sso" -CannotChangePassword $True -PasswordNeverExpires $True -UserPrincipalName "sso@example.com" -Path "OU=Services,DC=EXAMPLE,DC=com" -Enabled $true
To ensure no other users exist with the service principal name run the following command:
Get-ADUser -Filter 'ServicePrincipalNames -like "*"'
Now we have a user for SPNEGO authentication we need to create a Kerberos keytab which we can give to Authentik. We do this with the ktpass command on the Domain Controller. It will add the Kerberos service principal to the user and also generate a new random password:
ktpass -out sso-authentik.keytab -princ HTTP/authentik.example.com@EXAMPLE.COM +rndPass -mapuser EXAMPLE/sso -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -mapOp set
Configuring Authentik
Creating the Kerberos source
Now we need to create a new source Kerberos under Directory -> Federation and Social Login. Give it a relevant name and slug (in my case I just used kerberos as slug).
Make sure to disable sync users and User password writeback, while these could work I am not going to be using them as I use a Active Directory source to sync the users.
Under Realm settings enter the Kerberos realm for example EXAMPLE.COM, I selected Link to a user with identical username as I sync the users from Active Directory.
Now, under SPNEGO settings we need to provide the Kerberos keytab we created in the previous section. The ktpass command created a keytab file named sso-authentik.keytab, but since Authentik requires it in base64 format for the frontend, we first need to convert it:
[Convert]::ToBase64String([IO.File]::ReadAllBytes("sso-authentik.keytab"))
Fill this base64 encoded string under SPNEGO keytab:
Using it in login stage
Now to actually use the newly created Kerberos source we have to add it to a stage in Authentik. Go to Flows and Stages -> Stages, now edit the existing default-authentication-identification.
Under the Source Settings go ahead and move the Kerberos source you created from Available Sources to Selected Sources. And click on Update.
After logging out, you should see a Kerberos authentication button on the login screen:
Success!
I was able to get it working on NixOS! I did this with the setup I described in my previous blog post about integrating NixOS into Active Directory.
After upgrading the crypto used in the Kerberos keytab from RC4-HMAC (which was the default I got with the ktpass utility) to AES256-SHA1 and re-adding it to Authentik I was able to also get Kerberos authentication working on Firefox, Chrome and Edge on Windows too!
For Windows, I enabled Kerberos authentication in Chrome using a Group Policy Object (GPO). I might cover this in a future blog post.
As a next step I would like to really figure out a way to automatically login via Kerberos when on a Active Directory joined machine. That way the Authentik SSO flow would be completely seamless with no clicks needed!