From cf7fdecdfe4b015c3c15182e1a0f76f8a18e110d Mon Sep 17 00:00:00 2001 From: Kaarina Tungseth Date: Thu, 8 Apr 2021 16:35:59 -0500 Subject: [PATCH] [DOCS] Adds principal associated to keytab file (#96498) * [DOCS] Adds principal associated to keytab file * Update docs/user/security/authentication/index.asciidoc Co-authored-by: Aleh Zasypkin * Review comments Co-authored-by: Aleh Zasypkin --- docs/user/security/authentication/index.asciidoc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/user/security/authentication/index.asciidoc b/docs/user/security/authentication/index.asciidoc index a4acc93310e5..805ae924a599 100644 --- a/docs/user/security/authentication/index.asciidoc +++ b/docs/user/security/authentication/index.asciidoc @@ -292,7 +292,11 @@ xpack.security.authc.providers: order: 1 ----------------------------------------------- -Kibana uses SPNEGO, which wraps the Kerberos protocol for use with HTTP, extending it to web applications. At the end of the Kerberos handshake, Kibana will forward the service ticket to Elasticsearch. Elasticsearch will unpack it and it will respond with an access and refresh token which are then used for subsequent authentication. +IMPORTANT: {kib} uses SPNEGO, which wraps the Kerberos protocol for use with HTTP, extending it to web applications. +At the end of the Kerberos handshake, {kib} forwards the service ticket to {es}, then {es} unpacks the service ticket and responds with an access and refresh token, which are used for subsequent authentication. +On every {es} node that {kib} connects to, the keytab file should always contain the HTTP service principal for the {kib} host. +The HTTP service principal name must have the `HTTP/kibana.domain.local@KIBANA.DOMAIN.LOCAL` format. + [[anonymous-authentication]] ==== Anonymous authentication