You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/content/doc/features/authentication.en-us.md
+39Lines changed: 39 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -216,3 +216,42 @@ configure this, set the fields below:
216
216
217
217
- Log in to Gitea as an Administrator and click on "Authentication" under Admin Panel.
218
218
Then click `Add New Source` and fill in the details, changing all where appropriate.
219
+
220
+
## SPNEGO with SSPI (Kerberos/NTLM, for Windows only)
221
+
222
+
Gitea supports SPNEGO single sign-on authentication (the scheme defined by RFC4559) for the web part of the server via the Security Support Provider Interface (SSPI) built in Windows. SSPI works only in Windows environments - when both the server and the clients are running Windows.
223
+
224
+
Before activating SSPI single sign-on authentication (SSO) you have to prepare your environment:
225
+
226
+
- Create a separate user account in active directory, under which the `gitea.exe` process will be running (eg. `user` under domain `domain.local`):
227
+
228
+
- Create a service principal name for the host where `gitea.exe` is running with class `HTTP`:
229
+
- Start `Command Prompt` or `PowerShell` as a priviledged domain user (eg. Domain Administrator)
230
+
- Run the command below, replacing `host.domain.local` with the fully qualified domain name (FQDN) of the server where the web application will be running, and `domain\user` with the name of the account created in the previous step:
231
+
```
232
+
setspn -A HTTP/host.domain.local domain\user
233
+
```
234
+
235
+
- Sign in (*sign out if you were already signed in*) with the user created
236
+
237
+
- Make sure that `ROOT_URL` in the `[server]` section of `custom/conf/app.ini` is the fully qualified domain name of the server where the web application will be running - the same you used when creating the service principal name (eg. `host.domain.local`)
238
+
239
+
- Start the web server (`gitea.exe web`)
240
+
241
+
- Enable SSPI authentication by adding an `SPNEGO with SSPI` authentication source in `Site Administration -> Authentication Sources`
242
+
243
+
- Sign in to a client computer in the same domain with any domain user (client computer, different from the server running `gitea.exe`)
244
+
245
+
- If you are using Chrome, Edge or Internet Explorer, add the URL of the web app to the Local intranet sites (`Internet Options -> Security -> Local intranet -> Sites`)
246
+
247
+
- Start Chrome, Edge or Internet Explorer and navigate to the FQDN URL of gitea (eg. `http://host.domain.local:3000`)
248
+
249
+
- Click the `Sign In` button on the dashboard and choose SSPI to be automatically logged in with the same user that is currently logged on to the computer
250
+
251
+
- If it does not work, make sure that:
252
+
- You are not running the web browser on the same server where gitea is running. You should be running the web browser on a domain joined computer (client) that is different from the server. If both the client and server are runnning on the same computer NTLM will be prefered over Kerberos.
253
+
- There is only one `HTTP/...` SPN for the host
254
+
- The SPN contains only the hostname, without the port
255
+
- You have added the URL of the web app to the `Local intranet zone`
256
+
- The clocks of the server and client should not differ with more than 5 minutes (depends on group policy)
257
+
-`Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`)
Gitea repositories can include a `.gitea` directory at their base which will store settings/configurations for certain features.
18
+
19
+
## Templates
20
+
Gitea includes template repositories, and one feature implemented with them is auto-expansion of specific variables within your template files.
21
+
To tell Gitea which files to expand, you must include a `template` file inside the `.gitea` directory of the template repository.
22
+
Gitea uses [gobwas/glob](https://github.com/gobwas/glob) for its glob syntax. It closely resembles a traditional `.gitignore`, however there may be slight differences.
23
+
24
+
### Example `.gitea/template` file
25
+
All paths are relative to the base of the repository
26
+
```gitignore
27
+
# All .go files, anywhere in the repository
28
+
**.go
29
+
30
+
# All text files in the text directory
31
+
text/*.txt
32
+
33
+
# A specific file
34
+
a/b/c/d.json
35
+
36
+
# Batch files in both upper or lower case can be matched
37
+
**.[bB][aA][tT]
38
+
```
39
+
**NOTE:** The `template` file will be removed from the `.gitea` directory when a repository is generated from the template.
40
+
41
+
### Variable Expansion
42
+
In any file matched by the above globs, certain variables will be expanded.
43
+
All variables must be of the form `$VAR` or `${VAR}`. To escape an expansion, use a double `$$`, such as `$$VAR` or `$${VAR}`
0 commit comments