---
title: Kerberos authentication for browser monitors
description: Kerberos auhtentication enables monitoring on single sign-on (SSO) protected sites, usually behind Microsoft Active Directory. Browser monitors support...
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6984/solutions/observability/synthetics/kerberos-for-browser-monitors
products:
  - Elastic Cloud Serverless
  - Elastic Observability
applies_to:
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Generally available
---

# Kerberos authentication for browser monitors
Kerberos auhtentication enables monitoring on single sign-on (SSO) protected sites, usually behind Microsoft Active Directory.
<admonition title="Requirements">
  - Kerberos authentication works for **Private Locations only**. It does not work from Elastic's managed global locations.
  - Provide the agent process with a keytab for the service account and a `kinit` 'd ticket cache (KRB5CCNAME). Use a cron job or systemd timer to renew the ticket regularly (for example, `kinit -R` every few hours, or `kinit -kt` on failure).
  - Configure `/etc/krb5.conf` for your realm.
  - Register the SPN (for example, `HTTP/intranet.corp.local@CORP.LOCAL`) on the service account that fronts the protected URL.
</admonition>


## Configuring Kerberos authentication

Browser monitors support for SSO Kerberos authentication natively. Specify the protected domains under `playwrightOptions.args`:
```ts
playwrightOptions: {
  args: [
    '--auth-server-allowlist=*.corp.local,corp.local',
    '--auth-negotiate-delegate-allowlist=*.corp.local',
  ],
}
```

The hostname must match an entry in `--auth-server-allowlist`. Matching is hostname-only and supports shell-style wildcards — `*.corp.local` will not match the bare `corp.local`.