diff options
Diffstat (limited to 'doc/integration/kerberos.md')
-rw-r--r-- | doc/integration/kerberos.md | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/doc/integration/kerberos.md b/doc/integration/kerberos.md index f0c1a75041e..dc4dd501363 100644 --- a/doc/integration/kerberos.md +++ b/doc/integration/kerberos.md @@ -99,7 +99,7 @@ to authenticate with Kerberos tokens. #### Enable single sign-on -Edit the [common configuration file settings](omniauth.md#configure-common-settings) +Configure the [common settings](omniauth.md#configure-common-settings) to add `kerberos` as a single sign-on provider. This enables Just-In-Time account provisioning for users who do not have an existing GitLab account. @@ -358,6 +358,16 @@ to a larger value in [the NGINX configuration](https://nginx.org/en/docs/http/ng ## Troubleshooting +### Using Google Chrome with Kerberos authentication against Windows AD + +When you use Google Chrome to sign in to GitLab with Kerberos, you must enter your full username. For example, `username@domain.com`. + +If you do not enter your full username, the sign-in fails. Check the logs to see the following event message as evidence of this sign-in failure: + +```plain +"message":"OmniauthKerberosController: failed to process Negotiate/Kerberos authentication: gss_accept_sec_context did not return GSS_S_COMPLETE: An unsupported mechanism was requested\nUnknown error"`. +``` + ### Test connectivity between the GitLab and Kerberos servers You can use utilities like [`kinit`](https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/kinit.html) and [`klist`](https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/klist.html) to test connectivity between the GitLab server |