diff options
Diffstat (limited to 'docs/content/doc')
-rw-r--r-- | docs/content/doc/features/authentication.en-us.md | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/docs/content/doc/features/authentication.en-us.md b/docs/content/doc/features/authentication.en-us.md index afa9219676..be2e32db63 100644 --- a/docs/content/doc/features/authentication.en-us.md +++ b/docs/content/doc/features/authentication.en-us.md @@ -216,3 +216,42 @@ configure this, set the fields below: - Log in to Gitea as an Administrator and click on "Authentication" under Admin Panel. Then click `Add New Source` and fill in the details, changing all where appropriate. + +## SPNEGO with SSPI (Kerberos/NTLM, for Windows only) + +Gitea supports SPNEGO single sign-on authentication (the scheme defined by RFC4559) for the web part of the server via the Security Support Provider Interface (SSPI) built in Windows. SSPI works only in Windows environments - when both the server and the clients are running Windows. + +Before activating SSPI single sign-on authentication (SSO) you have to prepare your environment: + +- Create a separate user account in active directory, under which the `gitea.exe` process will be running (eg. `user` under domain `domain.local`): + +- Create a service principal name for the host where `gitea.exe` is running with class `HTTP`: + - Start `Command Prompt` or `PowerShell` as a priviledged domain user (eg. Domain Administrator) + - Run the command below, replacing `host.domain.local` with the fully qualified domain name (FQDN) of the server where the web application will be running, and `domain\user` with the name of the account created in the previous step: + ``` + setspn -A HTTP/host.domain.local domain\user + ``` + +- Sign in (*sign out if you were already signed in*) with the user created + +- Make sure that `ROOT_URL` in the `[server]` section of `custom/conf/app.ini` is the fully qualified domain name of the server where the web application will be running - the same you used when creating the service principal name (eg. `host.domain.local`) + +- Start the web server (`gitea.exe web`) + +- Enable SSPI authentication by adding an `SPNEGO with SSPI` authentication source in `Site Administration -> Authentication Sources` + +- Sign in to a client computer in the same domain with any domain user (client computer, different from the server running `gitea.exe`) + +- If you are using Chrome, Edge or Internet Explorer, add the URL of the web app to the Local intranet sites (`Internet Options -> Security -> Local intranet -> Sites`) + +- Start Chrome, Edge or Internet Explorer and navigate to the FQDN URL of gitea (eg. `http://host.domain.local:3000`) + +- Click the `Sign In` button on the dashboard and choose SSPI to be automatically logged in with the same user that is currently logged on to the computer + +- If it does not work, make sure that: + - You are not running the web browser on the same server where gitea is running. You should be running the web browser on a domain joined computer (client) that is different from the server. If both the client and server are runnning on the same computer NTLM will be prefered over Kerberos. + - There is only one `HTTP/...` SPN for the host + - The SPN contains only the hostname, without the port + - You have added the URL of the web app to the `Local intranet zone` + - The clocks of the server and client should not differ with more than 5 minutes (depends on group policy) + - `Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`) |