How to add Kerberos Authentication to Your Site With Minimum Efforts
Maxim Thomas
Posted on July 13, 2020
Motivation
Kerberos authentication allows users to authenticate seamlessly to trusted sites. If users already authenticated in a corporate network, there is no need to authenticate to other applications. They just use previously entered credentials. In this article, we will set up Kerberos authentication with your application in several minutes. As an authentication service, we will use Gortas Open Source authentication service
Windows Server Setup
In your Windows Server create Kerberos account, for example gortasKerberos
that will be used for Kerberos authentication. Enable checkboxes User cannot change password
and Password never expires
.
Then create keytab file gortasKerberos.keytab
with ktpass
command:
ktpass -out gortasKerberos.keytab -princ HTTP/auth-service-domain@KERB.DOMAIN -pass +rndPass -maxPass 256 -mapuser gortasKerberos -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL
In this command
-
KERB.DOMAIN
- Kerberos domain name, should be uppercase, change it to yours. -
gortas.domain
- Gortas authenticaion service domain name, change it to yours.
Gortas service and Kerberos should be on different domains, otherwise, Kerberos authentication won't work
Gortas Setup
Create a config file for auth-service with the following contents: gortas-kerberos.yaml
authentication:
realms:
users:
modules:
kerberos:
type: "kerberos"
properties:
keyTabFile: /app/gortasKerberos.keytab
servicePrincipal: HTTP/gortas.domain@KERB.DOMAIN
authChains:
kerberos:
modules:
- id: "kerberos"
userDataStore:
type: "mongodb"
properties:
url: "mongodb://root:changeme@localhost:27017"
database: "users"
collection: "users"
userAttributes:
- "name"
session:
type: "stateless"
expires: 60000
jwt:
issuer: 'http://gortas'
privateKeyPem: |
-----BEGIN RSA PRIVATE KEY-----
MIIBOQIBAAJATmLeD2qa5ejVKJ3rwcSJaZAeRw4CVrUHvi1uVvBah6+6qCdjvH8N
RT+GOI3ymdnilILPHcn51A0XQAXyrvFkgwIDAQABAkAPZUvIK2ARGBIF0D6l6Dw1
B6Fqw02iShwjNjkdykd9rsZ+UwsYHJ9xXSa2xp7eGurIUqyaDxF+53xpE9AH72PB
AiEAlEOIScKvyIqp3ZAxjYUd3feke2AGq4ckoq/dXFvxKHcCIQCHWH+6xKyXqaDL
bG5rq18VQR2Nj7VknY4Eir6Z6LrzVQIgSz3WbXBi2wgb2ngx3ZsfpCToEUCTQftM
iU9srFFwmlMCIFPUbMixqHUHi6BzuLDXpDz15+gWarO3Io+NoCCUFbdBAiEAinVf
Lnb+YDP3L5ZzSNF92P9yBQaopFCifjrUqSS85uw=
-----END RSA PRIVATE KEY-----
dataStore:
type: "mongo"
properties:
url: "mongodb://root:changeme@localhost:27017"
database: "session"
collection: "session"
server:
cors:
allowedOrigins:
- http://localhost:3000
- http://gortas.domain:3000 #add origin for auth-service ui domain
Pay attention to server.cors.allowedOrigins
config parameter, there should be your Gortas service domain.
Then put keytab file to any directory add volume with the kaytab to gortas
in docker-compose.yaml
, so the service could read the file.
Entire docker-compose.yaml
will look like this:
version: '3.7'
services:
gortas:
build:
context: .
ports:
- 8080:8080
depends_on:
- mongo
volumes:
- ./gortasKerberos.keytab:/app/config/gortasKerberos.keytab:ro
- ./auth-config-kerberos.yaml:/app/config/auth-config-kerberos.yaml:ro
command: ["./main", "--config", "./config/auth-config-kerberos.yaml"]
environment:
SESSION_DATASTORE_PROPERTIES_URL: "mongodb://root:changeme@mongo:27017"
gortas-ui:
build:
context: ../auth-service-ui
args:
- REACT_APP_GORTAS_URL=http://gortas.domain:8080
- REACT_APP_GORTAS_SIGN_UP_PATH=/gortas/v1/login/users/kerberos
- REACT_APP_IDM_URL=/gortas/v1/idm
ports:
- 3000:80
mongo:
image: mongo:latest
restart: always
ports:
- 27017:27017
environment:
MONGO_INITDB_ROOT_USERNAME: root
MONGO_INITDB_ROOT_PASSWORD: changeme
Docker-compose file has three services
-
gortas
- gortas authentication service itself, runs on 8080 port -
gotras-ui
- frontend for the authentication service runs on 3000 port -
mongo
- MonogDB for users and services storage Build and run services with docker-compose:
docker-compose up --build
Testing Authentication
Open client application in your browser http://gortas.domain:3000, you should see successful authentication dialog
Or you can use your own javascript. For example:
fetch('http://gortas.domain:8080', {
method: 'POST',
mode: 'cors',
cache: 'no-cache',
credentials: 'include',
headers: {
'Content-Type': 'application/json',
},
redirect: 'follow', // manual, *follow, error
referrer: 'no-referrer', // no-referrer, *client
})
.then(response => console.log(response.json()));
JWT with authenticated user data returned in GortasSession cookie header
maximthomas / gortas
Gortas is an API based authentication service, allows adding authentication to your site or service with minimum efforts.
Posted on July 13, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.