Kerberos Authentication

  • Updated on Sep 4, 2024
  • Published on Jun 20, 2024
  • 1 minute(s) read
  • jU
 Prev Next

Kerberos Authentication

Using Kerberos authentication will depend on the Windows domain authentication process.

Setup

  1. Internet Information Service (IIS) Manager.

    1. In your IIS installation, locate and select the Safran Web API Site.
    2. Select the "Authentication" option.
      1. Set "Windows Authentication" = "Enabled"
      2. All other to "Disabled"
      3. API Security Kerberos Windows Authentication

  2. Within the appsettings.json file found in your file folder.

    1. Ensure the "authentication type" setting is set to "Kerberos".

    2. See the Authentification Type below.

  3. Windows users

    1. Place your organisation's users who will get access to the Safran API into the Windows group "SafranWebApiUsersGroup". Should you use a group other than "SafranWebApiUsersGroup", remember to update the application setting for the IIS.

    2. See the Windows-user below.

    3. The user who is a member of the specified group or any of that group's nested groups will be granted access.

    4. In the following Active Directory structure sample:

      1. Specifying "SafranWebApiUsersGroup" in "SafranWebApiUsers" will allow all 4 API users access.
      2. Specifying "NestedGroupLevel-2" in "SafranWebApiUsers" will only allow "APIUser2.1" access.
      3. See the Nested Group Levels below.

Authentification Type

 "AppSettings": {
  "SafranWebApiAuthenticationType": "Kerberos",
  ...
}


Windows user

"AppSettings": {
  "SafranWebApiUsers": "SafranWebApiUsers",
  ...
}



Nested Group Levels

SafranWebApiUsersGroup
   APIUser0.1
   NestedGroupLevel-1
         APIUser1.1
         APIUser1.2
      NestedGroupLevel-2
         APIUser2.1