You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add single sign-on support via SSPI on Windows (#8463)
* Add single sign-on support via SSPI on Windows
* Ensure plugins implement interface
* Ensure plugins implement interface
* Move functions used only by the SSPI auth method to sspi_windows.go
* Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected
* Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links.
* Update documentation for the new 'SPNEGO with SSPI' login source
* Mention in documentation that ROOT_URL should contain the FQDN of the server
* Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing)
* Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources)
* Add option in SSPIConfig for removing of domains from logon names
* Update helper text for StripDomainNames option
* Make sure handleSignIn() is called after a new user object is created by SSPI auth method
* Remove default value from text of form field helper
Co-Authored-By: Lauris BH <[email protected]>
* Remove default value from text of form field helper
Co-Authored-By: Lauris BH <[email protected]>
* Remove default value from text of form field helper
Co-Authored-By: Lauris BH <[email protected]>
* Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates
* Remove code duplication
* Log errors in ActiveLoginSources
Co-Authored-By: Lauris BH <[email protected]>
* Revert suffix of randomly generated E-mails for Reverse proxy authentication
Co-Authored-By: Lauris BH <[email protected]>
* Revert unneeded white-space change in template
Co-Authored-By: Lauris BH <[email protected]>
* Add copyright comments at the top of new files
* Use loopback name for randomly generated emails
* Add locale tag for the SSPISeparatorReplacement field with proper casing
* Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields
* Update docs/content/doc/features/authentication.en-us.md
Co-Authored-By: guillep2k <[email protected]>
* Remove Priority() method and define the order in which SSO auth methods should be executed in one place
* Log authenticated username only if it's not empty
* Rephrase helper text for automatic creation of users
* Return error if more than one active SSPI auth source is found
* Change newUser() function to return error, letting caller log/handle the error
* Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed
* Refactor initialization of the list containing SSO auth methods
* Validate SSPI settings on POST
* Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page
* Make 'Default language' in SSPI config empty, unless changed by admin
* Show error if admin tries to add a second authentication source of type SSPI
* Simplify declaration of global variable
* Rebuild gitgraph.js on Linux
* Make sure config values containing only whitespace are not accepted
Copy file name to clipboardExpand all lines: docs/content/doc/features/authentication.en-us.md
+39Lines changed: 39 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -216,3 +216,42 @@ configure this, set the fields below:
216
216
217
217
- Log in to Gitea as an Administrator and click on "Authentication" under Admin Panel.
218
218
Then click `Add New Source` and fill in the details, changing all where appropriate.
219
+
220
+
## SPNEGO with SSPI (Kerberos/NTLM, for Windows only)
221
+
222
+
Gitea supports SPNEGO single sign-on authentication (the scheme defined by RFC4559) for the web part of the server via the Security Support Provider Interface (SSPI) built in Windows. SSPI works only in Windows environments - when both the server and the clients are running Windows.
223
+
224
+
Before activating SSPI single sign-on authentication (SSO) you have to prepare your environment:
225
+
226
+
- Create a separate user account in active directory, under which the `gitea.exe` process will be running (eg. `user` under domain `domain.local`):
227
+
228
+
- Create a service principal name for the host where `gitea.exe` is running with class `HTTP`:
229
+
- Start `Command Prompt` or `PowerShell` as a priviledged domain user (eg. Domain Administrator)
230
+
- Run the command below, replacing `host.domain.local` with the fully qualified domain name (FQDN) of the server where the web application will be running, and `domain\user` with the name of the account created in the previous step:
231
+
```
232
+
setspn -A HTTP/host.domain.local domain\user
233
+
```
234
+
235
+
- Sign in (*sign out if you were already signed in*) with the user created
236
+
237
+
- Make sure that `ROOT_URL` in the `[server]` section of `custom/conf/app.ini` is the fully qualified domain name of the server where the web application will be running - the same you used when creating the service principal name (eg. `host.domain.local`)
238
+
239
+
- Start the web server (`gitea.exe web`)
240
+
241
+
- Enable SSPI authentication by adding an `SPNEGO with SSPI` authentication source in `Site Administration -> Authentication Sources`
242
+
243
+
- Sign in to a client computer in the same domain with any domain user (client computer, different from the server running `gitea.exe`)
244
+
245
+
- If you are using Chrome, Edge or Internet Explorer, add the URL of the web app to the Local intranet sites (`Internet Options -> Security -> Local intranet -> Sites`)
246
+
247
+
- Start Chrome, Edge or Internet Explorer and navigate to the FQDN URL of gitea (eg. `http://host.domain.local:3000`)
248
+
249
+
- Click the `Sign In` button on the dashboard and choose SSPI to be automatically logged in with the same user that is currently logged on to the computer
250
+
251
+
- If it does not work, make sure that:
252
+
- You are not running the web browser on the same server where gitea is running. You should be running the web browser on a domain joined computer (client) that is different from the server. If both the client and server are runnning on the same computer NTLM will be prefered over Kerberos.
253
+
- There is only one `HTTP/...` SPN for the host
254
+
- The SPN contains only the hostname, without the port
255
+
- You have added the URL of the web app to the `Local intranet zone`
256
+
- The clocks of the server and client should not differ with more than 5 minutes (depends on group policy)
257
+
-`Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`)
0 commit comments