Skip to content

[Synthetics] Add Kerberos auth docs #6774

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
emilioalvap wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Synthetics] Add Kerberos auth docs #6774

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f27d2ca
[Synthetics] Add Kerberos auth docs
emilioalvap May 29, 2026
c4c3c00
Add missing navigation
emilioalvap Jun 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions solutions/observability/synthetics/kerberos-for-browser-monitors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
---
navigation_title: Kerberos Authentication
mapped_pages:

Check warning on line 3 in solutions/observability/synthetics/kerberos-for-browser-monitors.md

View workflow job for this annotation

GitHub Actions / build / vale 

Elastic.MappedPages: mapped_pages should only be added or updated in rare scenarios. Talk with your local technical writer before pushing changes to this key.
- https://www.elastic.co/guide/en/observability/current/synthetics-kerberos.html
- https://www.elastic.co/guide/en/serverless/current/observability-synthetics-kerberos.html
applies_to:
stack: ga
serverless: ga
products:
- id: observability
- id: cloud-serverless
---

# Kerberos Authentication for browser monitors [synthetics-kerberos]

Kerberos Auhtentication enables monitoring on Single Sign-On (SSO) protected sites, usually behind Microsoft Active Directory.

Check warning on line 16 in solutions/observability/synthetics/kerberos-for-browser-monitors.md

View workflow job for this annotation

GitHub Actions / build / vale 

Elastic.Spelling: 'Auhtentication' is a possible misspelling.

:::{admonition} Requirements
* Kerberos Authentication works for **Private Locations only**. It will not work from Elastic's managed global locations.
* Credentials must be made available to the agent process beforehand. A keytab for the service account plus a `kinit`'d ticket cache (`KRB5CCNAME`). Keep it fresh with a cron job or `systemd` timer (e.g. `kinit -R` every few hours, `kinit -kt` on failure).

Check warning on line 20 in solutions/observability/synthetics/kerberos-for-browser-monitors.md

View workflow job for this annotation

GitHub Actions / build / vale 

Elastic.Latinisms: Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
* `/etc/krb5.conf` must be configured for your realm.
* The SPN (e.g. `HTTP/intranet.corp.local@CORP.LOCAL`) must be registered against the service account that fronts the protected URL.

Check warning on line 22 in solutions/observability/synthetics/kerberos-for-browser-monitors.md

View workflow job for this annotation

GitHub Actions / build / vale 

Elastic.Latinisms: Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
:::
::::

## Configuring Kerberos authentication [configuring_kerberos]

Browser monitors already have first-class support for SSO Kerberos authentication, simply specify the protected domains under `playwrightOptions.args`:

Check notice on line 28 in solutions/observability/synthetics/kerberos-for-browser-monitors.md

View workflow job for this annotation

GitHub Actions / build / vale 

Elastic.WordChoice: Consider using 'efficiently' instead of 'simply', unless the term is in the UI.

Check notice on line 28 in solutions/observability/synthetics/kerberos-for-browser-monitors.md

View workflow job for this annotation

GitHub Actions / build / vale 

Elastic.WordChoice: Consider using 'top-level' instead of 'first-class', unless the term is in the UI.

```ts
playwrightOptions: {
args: [
'--auth-server-allowlist=*.corp.local,corp.local',
'--auth-negotiate-delegate-allowlist=*.corp.local',
],
}
```

The hostname must match an entry in `--auth-server-allowlist`. The matcher is hostname-only and supports shell-style wildcards — `*.corp.local` will NOT match the bare `corp.local`.
1 change: 1 addition & 0 deletions solutions/toc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
project: "Solutions and use cases"
toc:
- file: index.md
Expand Down Expand Up @@ -332,6 +332,7 @@
- file: observability/synthetics/cli.md
- file: observability/synthetics/configure-projects.md
- file: observability/synthetics/mfa-for-browser-monitors.md
- file: observability/synthetics/kerberos-for-browser-monitors.md
- file: observability/synthetics/configure-settings.md
- file: observability/synthetics/grant-access-to-secured-resources.md
children:
Expand Down
Loading