OpenI
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
9513 Commits
197 Branches
392 MB
5140 Download
Tree: b4d53e47d2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b4d53e47d2'
${ noResults }
aiforge/docs/content/doc/features/authentication.en-us.md

authentication.en-us.md 11 kB
Raw Normal View History

Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
Copyedit docs (#6275)
6 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
Update docs for LDAP (via BindDN) user sync option. (#2985)
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
Set user search base field optional in DLDAP edit page (#6779)
6 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
Copyedit docs (#6275)
6 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
General documentation cleanup (#3317) * Clean up spelling, grammar, perspective, whitespace, language, markup, etc.
7 years ago
Add single sign-on support via SSPI on Windows (#8463) * Add single sign-on support via SSPI on Windows * Ensure plugins implement interface * Ensure plugins implement interface * Move functions used only by the SSPI auth method to sspi_windows.go * Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected * Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links. * Update documentation for the new 'SPNEGO with SSPI' login source * Mention in documentation that ROOT_URL should contain the FQDN of the server * Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing) * Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources) * Add option in SSPIConfig for removing of domains from logon names * Update helper text for StripDomainNames option * Make sure handleSignIn() is called after a new user object is created by SSPI auth method * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates * Remove code duplication * Log errors in ActiveLoginSources Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert suffix of randomly generated E-mails for Reverse proxy authentication Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert unneeded white-space change in template Co-Authored-By: Lauris BH <lauris@nix.lv> * Add copyright comments at the top of new files * Use loopback name for randomly generated emails * Add locale tag for the SSPISeparatorReplacement field with proper casing * Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields * Update docs/content/doc/features/authentication.en-us.md Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> * Remove Priority() method and define the order in which SSO auth methods should be executed in one place * Log authenticated username only if it's not empty * Rephrase helper text for automatic creation of users * Return error if more than one active SSPI auth source is found * Change newUser() function to return error, letting caller log/handle the error * Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed * Refactor initialization of the list containing SSO auth methods * Validate SSPI settings on POST * Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page * Make 'Default language' in SSPI config empty, unless changed by admin * Show error if admin tries to add a second authentication source of type SSPI * Simplify declaration of global variable * Rebuild gitgraph.js on Linux * Make sure config values containing only whitespace are not accepted
5 years ago
Remove IE11 support (#11470) * Remove IE11 support With master now on 1.13, it's time to drop IE11 for good. The woff variants are also in use by Opera Mini but it has even less market share and I can only imagine how broken the UI is in it. Fixes: https://github.com/go-gitea/gitea/issues/6147 * update docs Co-authored-by: techknowlogick <techknowlogick@gitea.io>
5 years ago
Add single sign-on support via SSPI on Windows (#8463) * Add single sign-on support via SSPI on Windows * Ensure plugins implement interface * Ensure plugins implement interface * Move functions used only by the SSPI auth method to sspi_windows.go * Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected * Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links. * Update documentation for the new 'SPNEGO with SSPI' login source * Mention in documentation that ROOT_URL should contain the FQDN of the server * Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing) * Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources) * Add option in SSPIConfig for removing of domains from logon names * Update helper text for StripDomainNames option * Make sure handleSignIn() is called after a new user object is created by SSPI auth method * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates * Remove code duplication * Log errors in ActiveLoginSources Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert suffix of randomly generated E-mails for Reverse proxy authentication Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert unneeded white-space change in template Co-Authored-By: Lauris BH <lauris@nix.lv> * Add copyright comments at the top of new files * Use loopback name for randomly generated emails * Add locale tag for the SSPISeparatorReplacement field with proper casing * Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields * Update docs/content/doc/features/authentication.en-us.md Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> * Remove Priority() method and define the order in which SSO auth methods should be executed in one place * Log authenticated username only if it's not empty * Rephrase helper text for automatic creation of users * Return error if more than one active SSPI auth source is found * Change newUser() function to return error, letting caller log/handle the error * Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed * Refactor initialization of the list containing SSO auth methods * Validate SSPI settings on POST * Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page * Make 'Default language' in SSPI config empty, unless changed by admin * Show error if admin tries to add a second authentication source of type SSPI * Simplify declaration of global variable * Rebuild gitgraph.js on Linux * Make sure config values containing only whitespace are not accepted
5 years ago
Remove IE11 support (#11470) * Remove IE11 support With master now on 1.13, it's time to drop IE11 for good. The woff variants are also in use by Opera Mini but it has even less market share and I can only imagine how broken the UI is in it. Fixes: https://github.com/go-gitea/gitea/issues/6147 * update docs Co-authored-by: techknowlogick <techknowlogick@gitea.io>
5 years ago
Add single sign-on support via SSPI on Windows (#8463) * Add single sign-on support via SSPI on Windows * Ensure plugins implement interface * Ensure plugins implement interface * Move functions used only by the SSPI auth method to sspi_windows.go * Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected * Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links. * Update documentation for the new 'SPNEGO with SSPI' login source * Mention in documentation that ROOT_URL should contain the FQDN of the server * Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing) * Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources) * Add option in SSPIConfig for removing of domains from logon names * Update helper text for StripDomainNames option * Make sure handleSignIn() is called after a new user object is created by SSPI auth method * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates * Remove code duplication * Log errors in ActiveLoginSources Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert suffix of randomly generated E-mails for Reverse proxy authentication Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert unneeded white-space change in template Co-Authored-By: Lauris BH <lauris@nix.lv> * Add copyright comments at the top of new files * Use loopback name for randomly generated emails * Add locale tag for the SSPISeparatorReplacement field with proper casing * Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields * Update docs/content/doc/features/authentication.en-us.md Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> * Remove Priority() method and define the order in which SSO auth methods should be executed in one place * Log authenticated username only if it's not empty * Rephrase helper text for automatic creation of users * Return error if more than one active SSPI auth source is found * Change newUser() function to return error, letting caller log/handle the error * Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed * Refactor initialization of the list containing SSO auth methods * Validate SSPI settings on POST * Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page * Make 'Default language' in SSPI config empty, unless changed by admin * Show error if admin tries to add a second authentication source of type SSPI * Simplify declaration of global variable * Rebuild gitgraph.js on Linux * Make sure config values containing only whitespace are not accepted
5 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253 
  1. ---

  2. date: "2016-12-01T16:00:00+02:00"

  3. title: "Authentication"

  4. slug: "authentication"

  5. weight: 10

  6. toc: true

  7. draft: false

  8. menu:

  9.   sidebar:

  10.     parent: "features"

  11.     name: "Authentication"

  12.     weight: 10

  13.     identifier: "authentication"

  14. ---

  15. 

  16. # Authentication

  17. 

  18. ## LDAP (Lightweight Directory Access Protocol)

  19. 

  20. Both the LDAP via BindDN and the simple auth LDAP share the following fields:

  21. 

  22. - Authorization Name **(required)**

  23.   - A name to assign to the new method of authorization.

  24. 

  25. - Host **(required)**

  26.   - The address where the LDAP server can be reached.

  27.   - Example: `mydomain.com`

  28. 

  29. - Port **(required)**

  30.   - The port to use when connecting to the server.

  31.   - Example: `389` for LDAP or `636` for LDAP SSL

  32. 

  33. - Enable TLS Encryption (optional)

  34.   - Whether to use TLS when connecting to the LDAP server.

  35. 

  36. - Admin Filter (optional)

  37.   - An LDAP filter specifying if a user should be given administrator

  38.     privileges. If a user account passes the filter, the user will be

  39.     privileged as an administrator.

  40.   - Example: `(objectClass=adminAccount)`

  41.   - Example for Microsoft Active Directory (AD): `(memberOf=CN=admin-group,OU=example,DC=example,DC=org)`

  42. 

  43. - Username attribute (optional)

  44.   - The attribute of the user's LDAP record containing the user name. Given

  45.     attribute value will be used for new Gitea account user name after first

  46.     successful sign-in. Leave empty to use login name given on sign-in form.

  47.   - This is useful when supplied login name is matched against multiple

  48.     attributes, but only single specific attribute should be used for Gitea

  49.     account name, see "User Filter".

  50.   - Example: `uid`

  51.   - Example for Microsoft Active Directory (AD): `sAMAccountName`

  52. 

  53. - First name attribute (optional)

  54.   - The attribute of the user's LDAP record containing the user's first name.

  55.     This will be used to populate their account information.

  56.   - Example: `givenName`

  57. 

  58. - Surname attribute (optional)

  59.   - The attribute of the user's LDAP record containing the user's surname.

  60.     This will be used to populate their account information.

  61.   - Example: `sn`

  62. 

  63. - E-mail attribute **(required)**

  64.   - The attribute of the user's LDAP record containing the user's email

  65.     address. This will be used to populate their account information.

  66.   - Example: `mail`

  67. 

  68. **LDAP via BindDN** adds the following fields:

  69. 

  70. - Bind DN (optional)

  71.   - The DN to bind to the LDAP server with when searching for the user. This

  72.     may be left blank to perform an anonymous search.

  73.   - Example: `cn=Search,dc=mydomain,dc=com`

  74. 

  75. - Bind Password (optional)

  76.   - The password for the Bind DN specified above, if any. _Note: The password

  77.     is stored in plaintext at the server. As such, ensure that the Bind DN

  78.     has as few privileges as possible._

  79. 

  80. - User Search Base **(required)**

  81.   - The LDAP base at which user accounts will be searched for.

  82.   - Example: `ou=Users,dc=mydomain,dc=com`

  83. 

  84. - User Filter **(required)**

  85.   - An LDAP filter declaring how to find the user record that is attempting to

  86.     authenticate. The `%s` matching parameter will be substituted with login

  87.     name given on sign-in form.

  88.   - Example: `(&(objectClass=posixAccount)(uid=%s))`

  89.   - Example for Microsoft Active Directory (AD): `(&(objectCategory=Person)(memberOf=CN=user-group,OU=example,DC=example,DC=org)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))`

  90.   - To substitute more than once, `%[1]s` should be used instead, e.g. when

  91.     matching supplied login name against multiple attributes such as user

  92.     identifier, email or even phone number.

  93.   - Example: `(&(objectClass=Person)(|(uid=%[1]s)(mail=%[1]s)(mobile=%[1]s)))`

  94. - Enable user synchronization

  95.   - This option enables a periodic task that synchronizes the Gitea users with

  96.     the LDAP server. The default period is every 24 hours but that can be

  97.     changed in the app.ini file.  See the *cron.sync_external_users* section in

  98.     the [sample

  99.     app.ini](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample)

  100.     for detailed comments about that section.  The *User Search Base* and *User

  101.     Filter* settings described above will limit which users can use Gitea and

  102.     which users will be synchronized.  When initially run the task will create

  103.     all LDAP users that match the given settings so take care if working with

  104.     large Enterprise LDAP directories.

  105. 

  106. **LDAP using simple auth** adds the following fields:

  107. 

  108. - User DN **(required)**

  109.   - A template to use as the user's DN. The `%s` matching parameter will be

  110.     substituted with login name given on sign-in form.

  111.   - Example: `cn=%s,ou=Users,dc=mydomain,dc=com`

  112.   - Example: `uid=%s,ou=Users,dc=mydomain,dc=com`

  113. 

  114. - User Search Base  (optional)

  115.   - The LDAP base at which user accounts will be searched for.

  116.   - Example: `ou=Users,dc=mydomain,dc=com`

  117. 

  118. - User Filter **(required)**

  119.   - An LDAP filter declaring when a user should be allowed to log in. The `%s`

  120.     matching parameter will be substituted with login name given on sign-in

  121.     form.

  122.   - Example: `(&(objectClass=posixAccount)(cn=%s))`

  123.   - Example: `(&(objectClass=posixAccount)(uid=%s))`

  124. 

  125. **Verify group membership in LDAP** uses the following fields:

  126. 

  127. * Group Search Base (optional)

  128.     * The LDAP DN used for groups.

  129.     * Example: `ou=group,dc=mydomain,dc=com`

  130. 

  131. * Group Name Filter (optional)

  132.     * An LDAP filter declaring how to find valid groups in the above DN.

  133.     * Example: `(|(cn=gitea_users)(cn=admins))`

  134. 

  135. * User Attribute in Group (optional)

  136.     * Which user LDAP attribute is listed in the group.

  137.     * Example: `uid`

  138. 

  139. * Group Attribute for User (optional)

  140.     * Which group LDAP attribute contains an array above user attribute names.

  141.     * Example: `memberUid`

  142. 

  143. ## PAM (Pluggable Authentication Module)

  144. 

  145. To configure PAM, set the 'PAM Service Name' to a filename in `/etc/pam.d/`. To

  146. work with normal Linux passwords, the user running Gitea must have read access

  147. to `/etc/shadow`.

  148. 

  149. ## SMTP (Simple Mail Transfer Protocol)

  150. 

  151. This option allows Gitea to log in to an SMTP host as a Gitea user. To

  152. configure this, set the fields below:

  153. 

  154. - Authentication Name **(required)**

  155.   - A name to assign to the new method of authorization.

  156. 

  157. - SMTP Authentication Type **(required)**

  158.   - Type of authentication to use to connect to SMTP host, PLAIN or LOGIN.

  159. 

  160. - Host **(required)**

  161.   - The address where the SMTP host can be reached.

  162.   - Example: `smtp.mydomain.com`

  163. 

  164. - Port **(required)**

  165.   - The port to use when connecting to the server.

  166.   - Example: `587`

  167. 

  168. - Allowed Domains

  169.   - Restrict what domains can log in if using a public SMTP host or SMTP host

  170.     with multiple domains.

  171.   - Example: `gitea.io,mydomain.com,mydomain2.com`

  172. 

  173. - Enable TLS Encryption

  174.   - Enable TLS encryption on authentication.

  175. 

  176. - Skip TLS Verify

  177.   - Disable TLS verify on authentication.

  178. 

  179. - This authentication is activate

  180.   - Enable or disable this auth.

  181. 

  182. ## FreeIPA

  183. 

  184. - In order to log in to Gitea using FreeIPA credentials, a bind account needs to

  185.   be created for Gitea:

  186. 

  187. - On the FreeIPA server, create a `gitea.ldif` file, replacing `dc=example,dc=com`

  188.   with your DN, and provide an appropriately secure password:

  189. ```

  190.   dn: uid=gitea,cn=sysaccounts,cn=etc,dc=example,dc=com

  191.   changetype: add

  192.   objectclass: account

  193.   objectclass: simplesecurityobject

  194.   uid: gitea

  195.   userPassword: secure password

  196.   passwordExpirationTime: 20380119031407Z

  197.   nsIdleTimeout: 0

  198. ```

  199. 

  200. - Import the LDIF (change localhost to an IPA server if needed). A prompt for

  201.  Directory Manager password will be presented:

  202. ```

  203.   ldapmodify -h localhost -p 389 -x -D \

  204.   "cn=Directory Manager" -W -f gitea.ldif

  205. ```

  206. - Add an IPA group for gitea\_users :

  207. ```

  208.   ipa group-add --desc="Gitea Users" gitea_users

  209. ```

  210. - Note: For errors about IPA credentials, run `kinit admin` and provide the

  211.   domain admin account password.

  212. 

  213. - Log in to Gitea as an Administrator and click on "Authentication" under Admin Panel.

  214.   Then click `Add New Source` and fill in the details, changing all where appropriate.

  215. 

  216. ## SPNEGO with SSPI (Kerberos/NTLM, for Windows only)

  217. 

  218. Gitea supports SPNEGO single sign-on authentication (the scheme defined by RFC4559) for the web part of the server via the Security Support Provider Interface (SSPI) built in Windows. SSPI works only in Windows environments - when both the server and the clients are running Windows.

  219. 

  220. Before activating SSPI single sign-on authentication (SSO) you have to prepare your environment:

  221. 

  222. - Create a separate user account in active directory, under which the `gitea.exe` process will be running (eg. `user` under domain `domain.local`):

  223. 

  224. - Create a service principal name for the host where `gitea.exe` is running with class `HTTP`:

  225.   - Start `Command Prompt` or `PowerShell` as a priviledged domain user (eg. Domain Administrator)

  226.   - Run the command below, replacing `host.domain.local` with the fully qualified domain name (FQDN) of the server where the web application will be running, and `domain\user` with the name of the account created in the previous step:

  227.   ```

  228.     setspn -A HTTP/host.domain.local domain\user

  229.   ```

  230. 

  231. - Sign in (*sign out if you were already signed in*) with the user created

  232. 

  233. - Make sure that `ROOT_URL` in the `[server]` section of `custom/conf/app.ini` is the fully qualified domain name of the server where the web application will be running - the same you used when creating the service principal name (eg. `host.domain.local`)

  234. 

  235. - Start the web server (`gitea.exe web`)

  236. 

  237. - Enable SSPI authentication by adding an `SPNEGO with SSPI` authentication source in `Site Administration -> Authentication Sources`

  238. 

  239. - Sign in to a client computer in the same domain with any domain user (client computer, different from the server running `gitea.exe`)

  240. 

  241. - If you are using Chrome or Edge, add the URL of the web app to the Local intranet sites (`Internet Options -> Security -> Local intranet -> Sites`)

  242. 

  243. - Start Chrome or Edge and navigate to the FQDN URL of gitea (eg. `http://host.domain.local:3000`)

  244. 

  245. - Click the `Sign In` button on the dashboard and choose SSPI to be automatically logged in with the same user that is currently logged on to the computer

  246. 

  247. - If it does not work, make sure that:

  248.   - You are not running the web browser on the same server where gitea is running. You should be running the web browser on a domain joined computer (client) that is different from the server. If both the client and server are runnning on the same computer NTLM will be prefered over Kerberos.

  249.   - There is only one `HTTP/...` SPN for the host

  250.   - The SPN contains only the hostname, without the port

  251.   - You have added the URL of the web app to the `Local intranet zone`

  252.   - The clocks of the server and client should not differ with more than 5 minutes (depends on group policy)

  253.   - `Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`)

No Description