How to enable Kerberos authenticated SMB scans using credentials in GVM 22.4 / 23.4?

Hello,

I’m trying to perform authenticated Windows scans over SMB using Kerberos instead of NTLM. I have a valid domain account and a proper keytab / tickets on the scanner host, but I can’t find any documentation or working example of how to configure Kerberos authentication in the “Credentials” section for SMB:
Vulnerability Scanning: a new credential type for Kerberos authentication on Microsoft Windows systems was added. Authenticated scans via Kerberos will still be done with the help of the SMB protocol. The already existing SMB credentials, which use NT (New Technology) LAN Manager (NTLM) for authentication, were renamed to SMB (NTLM) on the web interface to avoid confusion. In order to enable authentication via Kerberos on a target, the appliance must use a DNS server that is capable of doing a reverse lookup of the target and the target must be part of a functioning Microsoft Windows domain with a working domain controller, DNS infrastructure, and network. If the authentication via Kerberos fails, NTLM authentication will be tried as a fallback (#SC-1131, #GEA-894, #GS-6331).

Current environment: GVM version: 22.4.x. Scanner is joined to the domain.

What I’ve tried so far:

• Created “SMB” credentials in the web interface

• Write “Username” in format user@DOMAIN.LOCAL

• Write “Password”

• Result: scan fails with “auth failure”

What exact steps are required in the “Credentials” → SMB section to make it use Kerberos instead of NTLM? Is there any working example or official documentation for this use case?

Any help or pointers would be greatly appreciated!

Thank you!

Kerberos support is not enabled in the Community Edition products. See the screenshots attached, the official documentation and changelog you are viewing is for the Enterprise products.

However, inspecting the user-interfaces, you will find that Kerberos credential type is not available in the Community Edition (see screenshots).

Community Edition Credentials Dialog

Screenshot 2025-11-14 at 1.22.12 PM733×663 22.9 KB

Enterprise Appliance Credentials Dialog

Screenshot 2025-11-14 at 1.18.21 PM766×732 28.6 KB

A few short remarks:

• Documentation about using/configuring Kerberos and requirements for it is actually available here / within these:
  • 5.5.7.6 Kerberos Credentials
  • 9.3 Configuring an Authenticated Scan Using Local Security Checks
  • 9.3.3 Requirements on Target Systems with Microsoft Windows
  • 9.3.2 Using Credentials
• It seems adding Kerberos credentials is not enabled by default in GSA: GitHub - greenbone/gsa at v26.4.1

Thanks for clarifying that. I was waiting to be corrected there.
I saw that Kerberos was included in the commits way back in openvas-scanner v23.14.0 via libkrb5-dev. But failed to see that it needed to be enabled in GSA. I guessed it was just disabled for Community Edition.

The kerberos credentials are just not enabled by default in the UI. See enableKrb5 setting for enabling it.

Thank you for answering my question!

I did the following:

1. Created ./gsa-web/config.js on the host with this content:

   config = { enableKrb5: true };
   

2. Added the volume to the gsa service in docker-compose.yml:

   - ./gsa-web/config.js:/usr/share/gvm/gsad/web/config.js
   

3. Ran docker compose down && docker compose up -d
   The file is definitely inside the container at the correct path and has the right content.

After that there is still no Kerberos credential type in Configuration → Credentials.
The setting seems to be completely ignored.

Is the path/mount definitely correct, or is something else required for enableKrb5 to be applied?

You can check the used config.js file in you browser either putting the URL directly into your browser or using the network tab and the corresponding request entry. After changing the value in the config.js file you need to reload the whole browser window. Otherwise the change will not be applied in the web application.

Btw. I just checked with enableKrb5: false and enableKrb5: true and it works as expected. In the Target dialog the SMB (Kerberos) field shows up with enableKrb5: true.

Could you please describe in more detail what kind of URL needs to be used? So far, all my attempts to make this work have been unsuccessful.

The config.js is in the root directory. So it’s http(s)://<server>/config.js. If you get a blank page, the file is empty.

Could you please tell me what else I can try or what I might be doing wrong, taking into account the information above about mounting the config and its contents?

Should be

- ./gsa-web/config.js:/usr/local/share/gvm/gsad/web/config.js

Thanks for your answers, it really helped.