Skip to content

Minimal support for Windows Negotiate style web authentication (Kerberos)

Problem

Ultimate customers with Windows domains often have line of business (LOB) applications that make use of Windows integrated authentication. For modern domains this is Kerberos authentication.

In order to perform Kerberos authentication the following must happen:

  1. Chromium process must be started with two additional flags containing user supplied values.
    1. https://chromeenterprise.google/policies/#AuthServerAllowlist
    2. https://chromeenterprise.google/policies/#AuthNegotiateDelegateAllowlist
    3. https://chromeenterprise.google/policies/?policy=AmbientAuthenticationInPrivateModesEnabled
  2. Additional Kerberos packages must be installed in the DAST image.
  3. A Kerberos configuration file must be created in /etc containing the Kerberos realm information.
  4. kinit called to get an authentication token.

Most of this can be done in a before_script with the exception of how Chromium is launched.

Proposal

The minimum change possible to support Kerberos is to add a new variable that will launch Chromium with the correct flags and also add the needed packages to the container image.

  1. DAST_AUTH_NEGOTIATE_DELEGATE: *.example.com,example.com,*.EXAMPLE.COM,EXAMPLE.COM
  2. Packages to add:
    1. krb5-config
    2. krb5-user / krb5-workstation (UBI)
    3. gss-ntlmssp
"--auth-negotiate-delegate-allowlist=*.example.com",
         "--auth-server-allowlist=*.example.com",

Links

Implementation plan

  1. Add new variable to browserker
  2. Add needed packages to both standard and fips image
  3. Document the new variable and add a section in the docs showing usage
Edited by Michael Eddington