Rest API Calls with Kerebros Encryption

Ignition
,
15

I came across this approach and I would appreciate it if someone can test it as I am unable to at the moment.

GOAL:

  • Enable Kerberos (SPNEGO) in Ignition for user authentication
  • Use Kerberos tickets to authenticate REST API requests (e.g., using curl, PowerShell, or a browser)

Step 1: Prerequisites

Make sure that:

  • Ignition is installed and running on the domain-joined Windows machine.
  • The domain controller has DNS and reverse DNS entries for your Ignition server.
  • You have admin access to Ignition and the Windows server.
  • A Service Principal Name (SPN) is created for the Ignition server.
  • Kerberos keytab is available or can be created.

Step 2: Create an SPN and Keytab

On the domain controller, open PowerShell as Administrator and run:

powershell:

setspn -A HTTP/ignition-hostname.domain.com DOMAIN\IgnitionServiceAccount

  • Replace:
  • ignition-hostname.domain.com = FQDN of your Ignition server
  • DOMAIN\\IgnitionServiceAccount = the AD account running Ignition Gateway

Then, generate a keytab file:

powershell:

ktpass -princ HTTP/ignition-hostname.domain.com@DOMAIN.COM -mapuser DOMAIN\IgnitionServiceAccount -pass YourPasswordHere -out C:\path\to\http.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

:file_folder: Place http.keytab somewhere accessible by the Ignition Gateway service.

Step 3: Configure Identity Provider in Ignition

  1. Open Ignition Gateway in browser → Go to Config > Security > Identity Providers
  2. Click Create New Identity Provider
  3. Choose Web Browser SSO
  4. Set up the provider:
  • Provider Name: KerberosSSO
  • Login Type: SSO Only
  • Kerberos Realm: DOMAIN.COM
  • KDC Hostname: your-domain-controller.domain.com
  • SPN: HTTP/ignition-hostname.domain.com
  • Keytab File Path: C:\\path\\to\\http.keytab
  • Save

:pushpin: Ensure the Ignition service has read access to the .keytab.

Step 4: Set Up Security Levels (Optional but Recommended)

  1. Go to Config > Security > Security Levels
  2. Create a mapping to assign authenticated users to roles or levels
  3. Map domain groups or usernames to appropriate roles

Step 5: Enable Authentication for REST API Access

  1. Go to Config > Gateway Settings
  2. Under HTTP Settings:
  • :white_check_mark: Check “Enable Authentication for Web Services”
  • Choose “Identity Provider” under Session Validation
  • Select your Kerberos IdP (e.g., KerberosSSO)
  • Save changes

Step 6: Test REST API with Kerberos Ticket

-Using curl from a domain-joined machine:

bash

curl --negotiate -u : -X GET https://ignition-hostname.domain.com:8088/system/gwinfo


* `--negotiate`: Tells `curl` to use SPNEGO/Kerberos
* `-u :` → sends ticket without prompting for username
* Must be run from a user **logged in with a valid Kerberos ticket**

To confirm ticket:

bash

klist

Optional: Test via Browser or Postman

* Modern browsers (like Chrome or Edge) support SPNEGO automatically if the Ignition FQDN is in the **intranet zone**
* Postman **does not** support Kerberos/SPNEGO natively — use `curl` or a tool like **httpie** or **custom code** (e.g., Python `requests_kerberos`)

---

## 🛠 Troubleshooting Tips

|**Problem**|**Solution**|
| -------------- | -------------- |
|❌ `401 Unauthorized`|Check SPN, keytab, realm spelling|
|❌ `KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN`|SPN not registered or mismatch|
|❌ `KDC not reachable`|Wrong KDC hostname or firewall issue|
|❌ Ticket expired|Run `kinit` again or re-login|
|🔒 Keytab permission error|Ensure Ignition has read access|


Would this work and enable kerberos in Ignition?