2019-12-11 19:16:36 +00:00
---
2020-01-18 00:18:09 +00:00
layout: docs
page_title: Kerberos - Auth Methods
description: The Kerberos auth method allows automated authentication of Kerberos entities.
2019-12-11 19:16:36 +00:00
---
# Kerberos Auth Method
2022-06-01 19:41:11 +00:00
@include 'x509-sha1-deprecation.mdx'
2019-12-11 19:16:36 +00:00
The `kerberos` auth method provides an automated mechanism to retrieve
a Vault token for Kerberos entities.
[Kerberos](https://web.mit.edu/kerberos/) is a network authentication
2020-01-18 00:18:09 +00:00
protocol invented by MIT in the 1980s. Its name is inspired by Cerberus,
2019-12-11 19:16:36 +00:00
the three-headed hound of Hades from Greek mythology. The three heads
refer to Kerberos' three entities - an authentication server, a ticket
granting server, and a principals database. Kerberos underlies
authentication in Active Directory, and its purpose is to _distribute_
a network's authentication workload.
2020-01-18 00:18:09 +00:00
Vault's Kerberos auth method was originally written by the folks at
2019-12-11 19:16:36 +00:00
[Winton](https://github.com/wintoncode), to whom we owe a special thanks
2020-01-18 00:18:09 +00:00
for both originally building the plugin, and for collaborating to bring
2019-12-11 19:16:36 +00:00
it into HashiCorp's maintenance.
## Prerequisites
2020-01-18 00:18:09 +00:00
Kerberos is a very hands-on auth method. Other auth methods like
2020-01-22 20:05:41 +00:00
[LDAP](/docs/auth/ldap) and
[Azure](/docs/auth/azure) only require
2019-12-11 19:16:36 +00:00
a cursory amount of knowledge for configuration and use.
Kerberos, on the other hand, is best used by people already familiar
with it. We recommend that you use simpler authentication methods if
2020-01-18 00:18:09 +00:00
your use case is achievable through them. If not, we recommend that
2019-12-11 19:16:36 +00:00
before approaching Kerberos, you become familiar with its fundamentals.
- [MicroNugget: How Kerberos Works in Windows Active Directory](https://www.youtube.com/watch?v=kp5d8Yv3-0c)
- [MIT's Kerberos Documentation](https://web.mit.edu/kerberos/)
- [Kerberos: The Definitive Guide](https://www.amazon.com/Kerberos-Definitive-Guide-ebook-dp-B004P1J81C/dp/B004P1J81C/ref=mt_kindle?_encoding=UTF8&me=&qid=1573685442)
Regardless of how you gain your knowledge, before using this auth method,
ensure you are comfortable with Kerberos' high-level architecture, and
ensure you've gone through the exercise of:
- Creating a valid `krb5.conf` file
- Creating a valid `keytab` file
- Authenticating to your domain server with your `keytab` file using `kinit`
With that knowledge in hand, and with an environment that's already tested
and confirmed working, you will be ready to use Kerberos with Vault.
## Configuration
2020-01-18 00:18:09 +00:00
- Enable Kerberos authentication in Vault:
2019-12-11 19:16:36 +00:00
2020-05-21 17:18:17 +00:00
```shell-session
2019-12-11 19:16:36 +00:00
$ vault auth enable \
-passthrough-request-headers=Authorization \
-allowed-response-headers=www-authenticate \
kerberos
```
2020-01-18 00:18:09 +00:00
- Create a `keytab` for the Kerberos plugin:
2019-12-11 19:16:36 +00:00
2020-05-21 17:18:17 +00:00
```shell-session
2019-12-11 19:16:36 +00:00
$ ktutil
ktutil: addent -password -p your_service_account@REALM.COM -e aes256-cts -k 1
Password for your_service_account@REALM.COM:
ktutil: list -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 your_service_account@REALM.COM (aes256-cts-hmac-sha1-96)
ktutil: wkt vault.keytab
```
2020-01-18 00:18:09 +00:00
The KVNO (`-k 1`) should match the KVNO of the service account. An error will show in the Vault logs if this is incorrect.
Different encryption types can also be added to the `keytab`, for example `-e rc4-hmac` with additional `addent` commands.
Then base64 encode it:
2020-05-21 17:18:17 +00:00
```shell-session
2019-12-11 19:16:36 +00:00
$ base64 vault.keytab > vault.keytab.base64
```
2020-01-18 00:18:09 +00:00
- Configure the Kerberos auth method with the `keytab` and
entry name that will be used to verify inbound login
requests:
2019-12-11 19:16:36 +00:00
2020-05-21 17:18:17 +00:00
```shell-session
2019-12-11 19:16:36 +00:00
$ vault write auth/kerberos/config \
keytab=@vault.keytab.base64 \
service_account="vault_svc"
```
2020-01-18 00:18:09 +00:00
- Configure the Kerberos auth method to communicate with
LDAP using the service account configured above. This is
a sample LDAP configuration. Yours will vary. Ensure you've
first tested your configuration from the Vault server using
a tool like `ldapsearch`.
2019-12-11 19:16:36 +00:00
2020-05-21 17:18:17 +00:00
```shell-session
2019-12-11 19:16:36 +00:00
$ vault write auth/kerberos/config/ldap \
binddn=vault_svc@MATRIX.LAN \
bindpass=$VAULT_SVC_PASSWORD \
groupattr=sAMAccountName \
groupdn="DC=MATRIX,DC=LAN" \
groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
userdn="CN=Users,DC=MATRIX,DC=LAN" \
userattr=sAMAccountName \
upndomain=MATRIX.LAN \
url=ldaps://somewhere.foo
```
2020-01-18 00:18:09 +00:00
2019-12-11 19:16:36 +00:00
The LDAP above relies upon the same code as the LDAP auth method.
2020-01-22 20:05:41 +00:00
See [its documentation](/docs/auth/ldap)
2020-01-18 00:18:09 +00:00
for further discussion of available parameters.
- Configure the Vault policies that should be granted to those
who successfully authenticate based on their LDAP group membership.
Since this is identical to the LDAP auth method, see
2020-01-22 20:05:41 +00:00
[Group Membership Resolution](/docs/auth/ldap#group-membership-resolution)
2020-03-31 19:21:16 +00:00
and [LDAP Group -> Policy Mapping](/docs/auth/ldap#ldap-group-policy-mapping)
2020-01-18 00:18:09 +00:00
for further discussion.
2019-12-11 19:16:36 +00:00
2020-05-21 17:18:17 +00:00
```shell-session
2019-12-11 19:16:36 +00:00
$ vault write auth/kerberos/groups/engineering-team \
policies=engineers
```
The above group grants the "engineers" policy to those who authenticate
via Kerberos and are found to be members of the "engineering-team" LDAP
group.
## Authentication
From a client machine with a valid `krb5.conf` and `keytab`, perform a command
like the following:
2020-05-21 17:18:17 +00:00
```shell-session
2019-12-11 19:16:36 +00:00
$ vault login -method=kerberos \
username=grace \
service=HTTP/my-service \
realm=MATRIX.LAN \
keytab_path=/etc/krb5/krb5.keytab \
2020-03-13 22:45:40 +00:00
krb5conf_path=/etc/krb5.conf \
disable_fast_negotiation=false
2019-12-11 19:16:36 +00:00
```
- `krb5conf_path` is the path to a valid `krb5.conf` file describing how to
2020-01-18 00:18:09 +00:00
communicate with the Kerberos environment.
2019-12-11 19:16:36 +00:00
- `keytab_path` is the path to the `keytab` in which the entry lives for the
2020-01-24 22:40:41 +00:00
entity authenticating to Vault. Keytab files should be protected from other
users on a shared server using appropriate file permissions.
2020-01-18 00:18:09 +00:00
- `username` is the username for the entry _within_ the `keytab` to use for
logging into Kerberos. This username must match a service account in LDAP.
2019-12-11 19:16:36 +00:00
- `service` is the service principal name to use in obtaining a service ticket for
2020-01-18 00:18:09 +00:00
gaining a SPNEGO token. This service must exist in LDAP.
2019-12-11 19:16:36 +00:00
- `realm` is the name of the Kerberos realm. This realm must match the UPNDomain
2020-01-18 00:18:09 +00:00
configured on the LDAP connection. This check is case-sensitive.
2020-03-13 22:45:40 +00:00
- `disable_fast_negotiation` is for disabling the Kerberos auth method's default
of using FAST negotiation. FAST is a pre-authentication framework for Kerberos.
It includes a mechanism for tunneling pre-authentication exchanges using armoured
KDC messages. FAST provides increased resistance to passive password guessing attacks.
Some common Kerberos implementations do not support FAST negotiation.
2022-08-04 20:38:12 +00:00
- `remove_instance_name` removes any instance names from a Kerberos service
principal name when parsing the keytab file. For example when this is set to true,
if a keytab has the service principal name `foo/localhost@example.com`, the CLI
will strip the service principal name to just be `foo@example.com`.
2019-12-11 19:16:36 +00:00
## Troubleshooting
### Identify the Malfunctioning Piece
Once the malfunctioning piece of the journey is identified, you can focus
your debugging efforts in the most useful direction.
1. Use `ldapsearch` while logged into your machine hosting Vault to ensure
2020-01-18 00:18:09 +00:00
your LDAP configuration is functional.
2. Authenticate to your domain server using `kinit`, your `keytab`, and your
`krb5.conf`. Do this with both Vault's `keytab`, and any client `keytab` being
used for logging in. This ensures your Kerberos network is working.
3. While logged into your client machine, verify you can reach Vault
through the following command: `$ curl $VAULT_ADDR/v1/sys/health`.
2019-12-11 19:16:36 +00:00
### Build Clear Steps to Reproduce the Problem
If possible, make it easy for someone else to reproduce the problem who
2020-01-18 00:18:09 +00:00
is outside of your company. For instance, if you expect that you should
2019-12-11 19:16:36 +00:00
be able to login using a command like:
2020-05-21 17:18:17 +00:00
```shell-session
2019-12-11 19:16:36 +00:00
$ vault login -method=kerberos \
username=my-name \
service=HTTP/my-service \
realm=EXAMPLE.COM \
keytab_path=/etc/krb5/krb5.keytab \
krb5conf_path=/etc/krb5.conf
```
2020-01-18 00:18:09 +00:00
Then make sure you're ready to share the error output of that command, the
2019-12-11 19:16:36 +00:00
contents of the `krb5.conf` file, and [the entries listed](https://docs.oracle.com/cd/E19683-01/806-4078/6jd6cjs1q/index.html)
in the `keytab` file.
After you've stripped the issue down to its simplest form, if you still
encounter difficulty resolving it, it will be much easier to gain assistance
by posting your reproduction to the [Vault Forum](https://discuss.hashicorp.com/c/vault)
2020-01-22 20:05:41 +00:00
or by providing it to [HashiCorp Support](https://www.hashicorp.com/support)
2019-12-11 19:16:36 +00:00
(if applicable.)
### Additional Troubleshooting Resources
- [Troubleshooting Vault](https://learn.hashicorp.com/vault/operations/troubleshooting-vault)
- [The plugin's code](https://github.com/hashicorp/vault-plugin-auth-kerberos)
The Vault Kerberos library has a working integration test environment that
2020-01-18 00:18:09 +00:00
can be referenced as an example of a full Kerberos and LDAP environment.
It runs through Docker and can be started through either one of the following
2019-12-11 19:16:36 +00:00
commands:
2020-05-21 17:18:17 +00:00
```shell-session
2019-12-11 19:16:36 +00:00
$ make integration
$ make dev-env
```
These commands run variations of [a script](https://github.com/hashicorp/vault-plugin-auth-kerberos/blob/master/scripts/integration_env.sh)
2020-01-18 00:18:09 +00:00
that spins up a full environment, adds users, and executes a login from a
2019-12-11 19:16:36 +00:00
client.
## API
The Kerberos auth method has a full HTTP API. Please see the
2022-03-18 01:14:48 +00:00
[Kerberos auth method API](/api-docs/auth/kerberos) for more
2019-12-11 19:16:36 +00:00
details.