---
title: Kerberos Authentication for browser monitors
description: Kerberos Auhtentication enables monitoring on Single Sign-On (SSO) protected sites, usually behind Microsoft Active Directory. Browser monitors already...
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6774/solutions/observability/synthetics/kerberos-for-browser-monitors
products:
  - Elastic Cloud Serverless
  - Elastic Observability
applies_to:
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Generally available
---

# Kerberos Authentication for browser monitors
Kerberos Auhtentication enables monitoring on Single Sign-On (SSO) protected sites, usually behind Microsoft Active Directory.
<admonition title="Requirements">
  - Kerberos Authentication works for **Private Locations only**. It will not work from Elastic's managed global locations.
  - Credentials must be made available to the agent process beforehand. A keytab for the service account plus a `kinit`'d ticket cache (`KRB5CCNAME`). Keep it fresh with a cron job or `systemd` timer (e.g. `kinit -R` every few hours, `kinit -kt` on failure).
  - `/etc/krb5.conf` must be configured for your realm.
  - The SPN (e.g. `HTTP/intranet.corp.local@CORP.LOCAL`) must be registered against the service account that fronts the protected URL.
</admonition>


## Configuring Kerberos authentication

Browser monitors already have first-class support for SSO Kerberos authentication, simply specify the protected domains under `playwrightOptions.args`:
```ts
playwrightOptions: {
  args: [
    '--auth-server-allowlist=*.corp.local,corp.local',
    '--auth-negotiate-delegate-allowlist=*.corp.local',
  ],
}
```

The hostname must match an entry in `--auth-server-allowlist`. The matcher is hostname-only and supports shell-style wildcards — `*.corp.local` will NOT match the bare `corp.local`.