Integrated Windows Authentication / Kerberos Login

[fl0eb]

Is your feature request related to a problem? Please describe. When logging in through Authentik Users need to provide their username and password.

Describe the solution you'd like Implementing Kerberos support in Authentik would enable a seamless login without the need to enter username and password on domain joined computers.

Describe alternatives you've considered Active Directory Federation Services Azure AD PingFederate

Additional context Naturally, Authentik would need to be connected to an Active Directory, Samba or any other directory containing a KDC Additionally, the DNS of Authentik needs to be registered as a Service Principal Name in the directory.

[scheibling]

Doesn't Integrated Windows Authentication still require a Windows-based IIS-server joined to the domain to act as an intermediary for Linux-based systems? At least for the seamless login.

[fl0eb]

I'm not sure about the technical details but PingFederate does support Kerberos authentication and can run on RHEL. https://docs.pingidentity.com/bundle/pingfederate-102/page/ykt1564003023206.html

[BeryJu]

There's a difference between Integrated Windows auth and Kerberos, the former mostly "requires" an IIS server, the latter doesn't. I have played around with kerberos and it does work, except you can't really have it optional, as if your browser doesn't reply with a kerberos response you just get an HTTP-basic style popup

I also haven't further looked into it since it requires a bunch of fiddling around with windows which I don't really feel like (moreso there are more highly requested features)

[iYUYUE]

Will it be possible to do something like the FreeIPA Web UI (/ipa/ui/)? Based on my very limited experience with it, login with Kerberos seems to be tried silently and only refresh the page with a logged-in status on success. https://github.com/freeipa/freeipa/blob/master/install/ui/src/freeipa/widgets/LoginScreen.js#L227-L252

[CartCaved]

Hi!

I just deployed Keycloak with Integrated Windows Authentication and had to dive into this topic so I thought I'd share some of what I learned.

First, Integrated Windows Authentication can be done via NTLM or Kerberos, where Kerberos is the preferred approach for Microsoft. The actual authentication is negotiated via something called SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism).

There are two things that are needed on the Windows Active Directory side to enable "Integrated Windows Authentication" through Kerberos:

1. Create a user account in AD that will contain the SPN (Service Principal Name) for the service that needs to use the authentication. It is basically a user account with a pointer back to the DNS name of the service, which allows AD to create a kerberos ticket that the service can use.
2. Generate a "keytab" file for the service to be able to process the kerberos ticket when it comes.

The keytab file is copied over to the server of the service (authentik). There would need to be an SPNEGO library to use the keytab file to consume requests and consume the kerberos ticket. There is no need to run IIS for this, keycloak, websphere etc. can do it. Microsoft has this blog-post about it.

There is also no need for the service to display the HTTP-basic style popup. From Keycloak:

Keycloak renders the HTML login screen with status 401 and HTTP header WWW-Authenticate: Negotiate

If the browser has a Kerberos ticket from desktop login, the browser transfers the desktop sign-on information to Keycloak in header Authorization: Negotiate 'spnego-token'. Otherwise, it displays the standard login screen, and the user enters the login credentials.

So the library would be able to tell if there is a ticket and if not, decide to force the issue with a HTTP-style pop-up but can also just redirect to the regular login page (or another flow step as needed).

Don't know if any of this helps, but thought to share. If Kerberos is already working, maybe it's not too far to get Integrated Windows Authentication to work as well. I know that it makes the user experience really convenient.

[KamistixX]

Looking forward to seeing this implemented to authenticate seamlessly in an Microsoft Active Directory-based intranet.

[BillyTheBadOne]

I'd appreciate this feature also. Would ease up the usage to my Familie members a lot!

[rogerlawrence79]

Couldn't and forgive me for my ignorance... Samba provide some level of Windows based authentication. https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller. I love where this thread is going and would certainly be useful if exposed in Authentik in some way.

[CartCaved]

Hi all -

It seems this is already on the roadmap, as Desktop authentication (planned), for the non-free version of Authentik (https://goauthentik.io/pricing/). If that's the cases, I wouldn't expect it to come to the Open Source version very soon.

Open Source Authentik should be able to use another authentication system as an IDP providing SAML or OAuth, such as Keycloak, ADFS, etc. That would require two systems, but all the logic and authorization can be managed through Authentik.

[scheibling]

Windows Integrated Login and Desktop Authentication are two separate features as far as I can tell. This thread is more about the integrated/automatic login you get when accessing a website from a computer on an AD-Domain, while the desktop auth seems to be described more as a 2fa/mfa solution for Windows login if I understand that correctly

[CartCaved]

I'll guess we'll see down the line.

[BeGj]

As long as Kerberos sso is not supported in Autentik we are not able to move from keycloak.

[bbrendon]

Hi @amrelsaqqa-vxlabs . You vote by clicking the thumbs up on the first comment. Writing text here to vote is considered spam.

[BeryJu]

Kerberos support as a provider is in progress under #6391

Additionally we're also planning to support this with a Windows Credential Provider in the future