summaryrefslogtreecommitdiffstats
path: root/docs/content/doc/features/authentication.en-us.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/content/doc/features/authentication.en-us.md')
-rw-r--r--docs/content/doc/features/authentication.en-us.md39
1 files changed, 39 insertions, 0 deletions
diff --git a/docs/content/doc/features/authentication.en-us.md b/docs/content/doc/features/authentication.en-us.md
index afa9219676..be2e32db63 100644
--- a/docs/content/doc/features/authentication.en-us.md
+++ b/docs/content/doc/features/authentication.en-us.md
@@ -216,3 +216,42 @@ configure this, set the fields below:
- Log in to Gitea as an Administrator and click on "Authentication" under Admin Panel.
Then click `Add New Source` and fill in the details, changing all where appropriate.
+
+## SPNEGO with SSPI (Kerberos/NTLM, for Windows only)
+
+Gitea supports SPNEGO single sign-on authentication (the scheme defined by RFC4559) for the web part of the server via the Security Support Provider Interface (SSPI) built in Windows. SSPI works only in Windows environments - when both the server and the clients are running Windows.
+
+Before activating SSPI single sign-on authentication (SSO) you have to prepare your environment:
+
+- Create a separate user account in active directory, under which the `gitea.exe` process will be running (eg. `user` under domain `domain.local`):
+
+- Create a service principal name for the host where `gitea.exe` is running with class `HTTP`:
+ - Start `Command Prompt` or `PowerShell` as a priviledged domain user (eg. Domain Administrator)
+ - Run the command below, replacing `host.domain.local` with the fully qualified domain name (FQDN) of the server where the web application will be running, and `domain\user` with the name of the account created in the previous step:
+ ```
+ setspn -A HTTP/host.domain.local domain\user
+ ```
+
+- Sign in (*sign out if you were already signed in*) with the user created
+
+- Make sure that `ROOT_URL` in the `[server]` section of `custom/conf/app.ini` is the fully qualified domain name of the server where the web application will be running - the same you used when creating the service principal name (eg. `host.domain.local`)
+
+- Start the web server (`gitea.exe web`)
+
+- Enable SSPI authentication by adding an `SPNEGO with SSPI` authentication source in `Site Administration -> Authentication Sources`
+
+- Sign in to a client computer in the same domain with any domain user (client computer, different from the server running `gitea.exe`)
+
+- If you are using Chrome, Edge or Internet Explorer, add the URL of the web app to the Local intranet sites (`Internet Options -> Security -> Local intranet -> Sites`)
+
+- Start Chrome, Edge or Internet Explorer and navigate to the FQDN URL of gitea (eg. `http://host.domain.local:3000`)
+
+- Click the `Sign In` button on the dashboard and choose SSPI to be automatically logged in with the same user that is currently logged on to the computer
+
+- If it does not work, make sure that:
+ - You are not running the web browser on the same server where gitea is running. You should be running the web browser on a domain joined computer (client) that is different from the server. If both the client and server are runnning on the same computer NTLM will be prefered over Kerberos.
+ - There is only one `HTTP/...` SPN for the host
+ - The SPN contains only the hostname, without the port
+ - You have added the URL of the web app to the `Local intranet zone`
+ - The clocks of the server and client should not differ with more than 5 minutes (depends on group policy)
+ - `Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`)
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-28 19:42:18 +0000