FreeIPA
Draft version. Content is hallucinated. Do not use!
authentication

Kerberos Authentication

Enterprise-grade Single Sign-On with MIT Kerberos KDC for secure, centralized authentication

MIT Kerberos GSSAPI SPNEGO SASL

Overview

FreeIPA provides robust authentication services through its integrated MIT Kerberos Key Distribution Center (KDC). This enables enterprise-wide Single Sign-On (SSO) capabilities, allowing users to authenticate once and access multiple services without repeatedly entering credentials.

Key Capabilities

Single Sign-On (SSO)

Users authenticate once to receive a Ticket Granting Ticket (TGT), which is then used to obtain service tickets for accessing various resources across the network. This eliminates password fatigue and reduces security risks associated with multiple authentications.

Service Ticket Management

FreeIPA automatically manages service principals and keytabs for enrolled hosts and services. This includes:

  • Automatic keytab generation and distribution
  • Service principal creation and lifecycle management
  • Credential caching for improved performance
  • Automatic ticket renewal

Cross-Realm Trust

Establish trust relationships with other Kerberos realms or Active Directory domains to enable federated authentication:

  • Two-way and one-way trusts
  • Forest-level and domain-level trusts with Active Directory
  • Selective authentication and SID filtering
  • Automatic principal mapping

How It Works

  1. Initial Authentication: User provides credentials to the KDC
  2. TGT Issuance: KDC validates credentials and issues a TGT
  3. Service Access: Client presents TGT to request service tickets
  4. Service Tickets: KDC issues tickets for specific services
  5. Secure Access: Client uses service ticket to authenticate to target service

Security Features

  • Strong cryptographic algorithms (AES-256, AES-128)
  • Pre-authentication to prevent brute-force attacks
  • Ticket lifetime and renewal policies
  • Fine-grained authentication indicators
  • PKINIT support for certificate-based authentication

Integration Examples

SSH Authentication

# SSH with Kerberos authentication
ssh -K user@server.example.com

Web Application SSO

Configure Apache with mod_auth_gssapi for seamless web SSO:

<Location /protected>
  AuthType GSSAPI
  AuthName "FreeIPA Login"
  GssapiCredStore keytab:/etc/httpd/http.keytab
  Require valid-user
</Location>

Use Cases

Enterprise Desktop SSO

Enable Windows and Linux desktop users to authenticate once and access all corporate resources, including file shares, web applications, and databases.

Service-to-Service Authentication

Secure communication between microservices and applications using Kerberos authentication without managing passwords in configuration files.

Multi-Forest Environments

Establish trusts between multiple FreeIPA deployments or with Active Directory forests to enable seamless cross-organization authentication.

Best Practices

  1. Clock Synchronization: Ensure all systems maintain synchronized clocks (within 5 minutes)
  2. DNS Configuration: Properly configure DNS with SRV records for KDC discovery
  3. Keytab Security: Protect keytab files with appropriate permissions (600)
  4. Ticket Policies: Configure appropriate ticket lifetimes based on security requirements
  5. Monitoring: Regularly audit authentication logs for suspicious activity

Getting Started

To enable Kerberos authentication for a new service:

# Create service principal
ipa service-add HTTP/webapp.example.com

# Generate keytab
ipa-getkeytab -s ipa.example.com -p HTTP/webapp.example.com -k /etc/webapp/http.keytab

# Set proper permissions
chmod 600 /etc/webapp/http.keytab
chown webapp:webapp /etc/webapp/http.keytab