Apidog

All-in-one Collaborative API Development Platform

API Design

API Documentation

API Debugging

API Mocking

API Automated Testing

How to Configure Kerberos Authentication in Apidog for API Testing

Kerberos authentication is essential for security, but setup can be complex. Apidog simplifies API testing with native support for both Kerberos and NTLM, making it easy for developers to test secure APIs across Windows, macOS, and Linux. Try Apidog for hassle-free authentication testing.

Scarlett Clarke

Scarlett Clarke

Updated on November 18, 2024

If you have trouble with Kerberos configurations and preauthentication failures that keep you up at night, then you are not alone. Even the most seasoned system administrators know the unique frustrations that come with setting up Kerberos authentication.

And you can’t bypass small errors because you know it plays a crucial role in enterprise security as a backbone of authentication protocols for organizations of all sizes. So that’s why your development team needs platforms to test your Kerberos-authenticated APIs, which can be a challenge because, unfortunately, even the most popular testing platforms like Postman do not support it yet or its way too complicated to use like in SoapUI.

That’s where Apidog comes in, offering native support for both Kerberos and NTLM authentication protocols, allowing you to get started with testing Kerberos-authenticated APIs on Windows, Mac, and Linux. Now, whether we’ve caught your interest or not, please continue reading the rest of our blog, where we’ll help you become more familiar with Kerberos, explain its importance, and demonstrate how to use it on our platform.

button

Before diving into the steps, let's take a quick refresher on Kerberos Authentication Protocol—the core of many enterprise security systems.

What is Kerberos Authentication Protocol?

Developed by MIT, Kerberos is a network security authentication protocol that provides a secure way of transmitting user identity data over a network. It’s particularly popular in Microsoft Windows environments and is integral to Single Sign-On (SSO) solutions, allowing users to authenticate once and access multiple services without needing to re-enter passwords.

How Does Kerberos Authentication Work?

At the heart of Kerberos are several key components that work together to ensure secure authentication:

  • KDC (Key Distribution Center): This is the central server that manages authentication requests. It includes two critical components:
    • AS (Authentication Server): Verifies the user’s identity and issues the Ticket Granting Ticket (TGT).
    • TGS (Ticket Granting Service): Issues service tickets that allow users to access specific resources.
  • TGS (Ticket Granting Service): Issues service tickets that allow users to access specific resources.
  • Service Tickets: These are issued by the TGS and are used to authenticate access to specific services.

The Kerberos authentication flow is simple yet secure:

  1. The user logs in and requests a TGT from the AS.
  2. The AS verifies the user’s identity and issues a TGT.
  3. To access a service, the user requests a service ticket from the TGS using their TGT.
  4. The TGS verifies the TGT and issues the service ticket.
  5. The user uses the service ticket to authenticate access to the requested service.

In this process, the KDC functions as a central entity, encompassing two key components: the Authentication Server (AS) and the Ticket Granting Service (TGS). The TGT (Ticket Granting Ticket) and service tickets serve as essential credentials to verify identity and authorize access throughout the authentication flow.

This design enables users to authenticate just once (by obtaining a TGT) and then request multiple service tickets as needed, without re-entering their credentials. This approach supports Single Sign-On (SSO), offering a seamless user experience while maintaining robust security within the system.

How Does Kerberos Authentication Work?

Testing Kerberos-Authenticated APIs with Apidog on macOS

Kerberos | Apidog
Kerberos is a network authentication protocol initially developed by the Massachusetts Institute of Technology (MIT) and widely used in many modern computing systems, especially in enterprise environments. Kerberos utilizes symmetric encryption and a trusted third party, known as the Key Distributio…

Now that you understand how Kerberos works, let’s walk through the steps for testing a Kerberos-authenticated API endpoint using Apidog on macOS.

Step 1: Preparation

To start, you’ll need some basic Kerberos-related information that your organization typically provides when using Kerberos authentication:

  • Account: Your Kerberos user account (e.g., Scarlett@APIDOG.LOCAL).
  • Password: Your Kerberos login password.
  • Kerberos Realm: The domain name in uppercase (e.g., APIDOG.LOCAL).
  • KDC Server Address: The Fully Qualified Domain Name (FQDN) or IP address of the KDC (e.g., ills7i8hyt2.apidog.local).

Before you begin, ensure you’ve downloaded and installed the latest version of Apidog. Note that Apidog’s web version doesn’t support Kerberos, so you must use the desktop client.

Step 2: Modify your local DNS for Kerberos authentication:

Kerberos authentication is typically used within an internal network. To ensure proper connectivity, you’ll need to configure your DNS server to point to your Active Directory (AD) server address.

Step 3: Configure /etc/krb5.conf on macOS

The krb5.conf file is the central configuration for Kerberos. It defines your Kerberos realm and the KDC server address. You’ll need to create or modify this file on your system.

  • Open a terminal and check if krb5.conf already exists:
cat /etc/krb5.conf
  • If the file doesn’t exist, create it:
nano /etc/krb5.conf
  • Add the following content to configure the Kerberos realm and KDC server:
[libdefaults]
    default_realm = APIDOG.LOCAL  # Your Kerberos realm name, typically the uppercase form of your organization's domain name

[realms]
    EXAMPLE.COM = {
        kdc = ills7i8hyt2.apidog.local # KDC server address, assumed here to be the FQDN of the domain controller
        admin_server = ills7i8hyt2.apidog.local # Usually the same as the KDC
    }

[domain_realm]
    .apidog.local = APIDOG.LOCAL  # Mapping between domain name and Kerberos realm name, left side is lowercase
    apidog.local = APIDOG.LOCAL
  • Save and close the file.

Step 4: Log in to AD Account

To authenticate with Kerberos, you can use either the GUI or CLI tools on macOS.

GUI: Use Ticket Viewer to add your identity. Open Spotlight, search for Ticket Viewer, then add your credentials.

Log in to AD Account

CLI: Alternatively, you can use the kinit command: bash kinit <username@domain>

Check your Kerberos tickets with: bash klist

# Obtain a Ticket for an AD account
kinit <username@domain>
# Check local Tickets
klist

Step 5: Configure Kerberos Authentication in Apidog

Now that you’re logged into your AD account and Kerberos is set up, open Apidog and follow these steps:

  • Create a New Request in Apidog.
Open Apidog and create "New Request."
  • In the Auth section, select Kerberos as the authentication type.
Configure Auth in Apidog
  • Enter the Service Principal Name (SPN), which is a combination of your KDC server and realm name. For example: HTTP/ills7i8hyt2.apidog.local@APIDOG.LOCAL
configuring Kerberos authentication
  • Click Send to test the API.
Testing Kerberos-Authenticated APIs with Apidog on macOS

Troubleshooting 401 Errors

If you encounter a 401 Unauthorized error, check the following:

  • DNS Configuration: Ensure DNS is set up correctly.
  • Kerberos Setup: Verify your Kerberos configuration in krb5.conf.
  • Credential Validity: Ensure your username and password are correct and active.
  • API Access Permissions: Confirm you have the necessary permissions to access the API.
  • Ticket Expiration: Kerberos tickets expire, so ensure your ticket is still valid. You may need to renew it with kinit.
the event of encountering 401 error

Configuring Kerberos Authentication on Windows

For domain-joined Windows systems, Apidog integrates seamlessly with existing Kerberos configurations. If your system is already part of a domain, no additional configuration is needed to begin testing Kerberos-authenticated APIs.

For non-domain systems, you'll need administrative privileges and valid domain credentials to join the domain and set up Kerberos. Here is the steps involved:

  1. Configure your DNS settings to point to the domain's DNS servers.
  2. Navigate to System Settings > Access Work or School to access domain settings.
  3. Complete the domain joining process by providing the necessary authorized credentials.

Using Apidog to Test NTLM-Authenticated APIs

In addition to Kerberos, Apidog also supports NTLM authentication, commonly used for legacy systems. NTLM is faster but less secure than Kerberos, making it ideal for smaller networks or as a fallback when Kerberos is unavailable.

For NTLM authentication, simply enter your username and password in Apidog’s Auth section and click Send—no additional setup required.

Step 1: Preparation & Modify Local DNS

NTLM authentication is straightforward and only requires your company-provided account and password. Ensure that you have the latest version of Apidog downloaded and registered.

Since NTLM-authenticated endpoints are often accessed within the internal network, make sure your DNS server is configured to point to the Active Directory (AD) server address.

Step 2: Configure Auth in Apidog

Configuring NTLM authentication in Apidog is simple and doesn’t require additional setup.

In the Auth section of Apidog, select NTLM Authentication as the authentication type. You'll be prompted to enter your username and password in the respective fields.

Using Apidog to Test NTLM-Authenticated APIs

Once you've filled in your credentials, click the Send button to complete the authentication process.

Benefits of Kerberos Authentication

Kerberos offers several advantages that make it the preferred authentication method for enterprises:

  • Centralized Authentication: All authentication is handled by a central server, making user management and policy enforcement easier.
  • Mutual Authentication: Both the client and server verify each other’s identity, providing an added layer of security.
  • Single Sign-On (SSO): Once authenticated, users can access multiple services without needing to log in again.
  • Ticket-based Authentication: User credentials (passwords) are never transmitted over the network. Instead, encrypted tickets are used to prove identity.
  • Limited Ticket Validity: Tickets are time-stamped and expire after a set period, reducing the risks associated with compromised credentials.
  • Reduced Server Load: Servers don’t need to authenticate users repeatedly, improving system performance.

Conclusion

In modern enterprise environments, both Kerberos and NTLM play critical roles in authentication. While Kerberos offers enhanced security for large-scale deployments, NTLM provides compatibility with older systems and smaller networks.

With Apidog’s native support for both protocols, testing APIs that rely on these authentication methods becomes straightforward, whether you’re working with Kerberos-authenticated services in a Windows, Mac, or Linux environment, or using NTLM for legacy systems.

Apidog helps you test and validate your authentication setup efficiently, saving time and reducing frustration for developers and QA teams. Get started with Apidog today and experience seamless, secure API testing with built-in Kerberos and NTLM support.

button
How to Install Newman and Run Postman Collections in NewmanTutorials

How to Install Newman and Run Postman Collections in Newman

By following this guide, you will learn how to install Newman and execute Postman collections, enabling you to automate your API testing process. A recommend Apidog as a powerful alternative.

David Demir

December 5, 2024

How to Fetch GraphQL with API?Tutorials

How to Fetch GraphQL with API?

Discover how to fetch GraphQL data efficiently using the Fetch API and Apidog. Learn advanced techniques, optimize performance, and secure your API for robust applications. Download Apidog for free to streamline your API workflows.

Ashley Innocent

November 28, 2024

What is Faker.js and How You Can Use It in Apidog for Generating Mocking DataTutorials

What is Faker.js and How You Can Use It in Apidog for Generating Mocking Data

Discover what Faker.js is and how to use it in Apidog to generate mock data for API testing. Learn step-by-step instructions, practical examples, and best practices.

Ashley Innocent

November 27, 2024