[DOCS] Adds principal associated to keytab file (#96498)

* [DOCS] Adds principal associated to keytab file * Update docs/user/security/authentication/index.asciidoc Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> * Review comments Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
2021-04-08 16:35:59 -05:00 · 2021-04-08 16:35:59 -05:00 · cf7fdecdfe
parent 65dc108575
commit cf7fdecdfe
1 changed files with 5 additions and 1 deletions
--- a/docs/user/security/authentication/index.asciidoc
+++ b/docs/user/security/authentication/index.asciidoc
@ -292,7 +292,11 @@ xpack.security.authc.providers:
    order: 1
 -----------------------------------------------

-Kibana uses SPNEGO, which wraps the Kerberos protocol for use with HTTP, extending it to web applications. At the end of the Kerberos handshake, Kibana will forward the service ticket to Elasticsearch. Elasticsearch will unpack it and it will respond with an access and refresh token which are then used for subsequent authentication.
+IMPORTANT: {kib} uses SPNEGO, which wraps the Kerberos protocol for use with HTTP, extending it to web applications. 
+At the end of the Kerberos handshake, {kib} forwards the service ticket to {es}, then {es} unpacks the service ticket and responds with an access and refresh token, which are used for subsequent authentication.
+On every {es} node that {kib} connects to, the keytab file should always contain the HTTP service principal for the {kib} host. 
+The HTTP service principal name must have the `HTTP/kibana.domain.local@KIBANA.DOMAIN.LOCAL` format.
+

 [[anonymous-authentication]]
 ==== Anonymous authentication