Lauren Zuniga
When employee authentication fails or becomes unreliable, users can lose access to the critical systems they need. Authentication enables access to internal tools like HR applications, finance portals, and internal dashboards, so even short outages can interrupt day-to-day work, while persistent issues increase the risk of broader operational disruption.
To proactively detect these failures, Datadog Synthetic Monitoring now supports Microsoft Active Directory with Kerberos single sign-on (SSO). With this new feature, you can run automated tests from within Datadog Synthetics against Kerberos-protected web applications and APIs from a private location within your network. This ensures tests run within your Active Directory domain authenticate as expected.
In this post, we’ll cover how to monitor Kerberos-authenticated applications and configure Kerberos authentication in Datadog Synthetic Monitoring. We’ll also show how extending visibility to authentication helps maintain productivity, reduce operational risk, and unify monitoring across internal and external applications.
Monitoring Kerberos-authenticated applications
While Kerberos is a secure and widely adopted authentication protocol, it can be difficult to monitor effectively. Many tools can confirm whether a Kerberos server is running, but they often can’t validate whether end-to-end authentication is working. Because Kerberos relies on multistep ticket exchanges with Active Directory, issues like expired credentials, misconfigured domain controllers, or DNS errors can block access even when the underlying infrastructure appears healthy. As a result, these failures may only be discovered once employees are unable to sign in.
With Kerberos support in Datadog Synthetic Monitoring, you can verify authentication workflows directly and ensure employees maintain access to the applications and APIs they rely on.
Test critical user journeys continuously
Instead of waiting for users to report login issues, you can schedule synthetic browser tests that repeatedly attempt to sign in with Kerberos authentication. These tests validate that the authentication handshake with Active Directory is successful and confirm internal web applications are accessible, ensuring that employees can complete their workflows without interruption.
Validate Kerberos-protected APIs
Many internal APIs rely on Kerberos authentication to power workflows such as data retrieval, service orchestration, and application logic. If authentication fails at this layer, downstream services may silently break even while frontend portals remain accessible. With Datadog Synthetic Monitoring's API tests, you can configure Kerberos as the authentication type and confirm that endpoints respond correctly under real authentication conditions.
When issues are detected, Datadog Synthetic Monitoring immediately raises an alert, giving you the opportunity to investigate before employees are impacted. This early detection reduces time to resolution and limits the scope of impact.
Configuring Kerberos authentication in Datadog
To perform the ticket exchange that supports Kerberos authentication, requests must originate from a machine within the Active Directory domain so they can communicate with the Key Distribution Center (KDC). For this reason, Kerberos authentication is supported for both API and browser tests executed from a Windows private location. Running tests inside your domain ensures they follow the same authentication process as real users.
For API tests, you can select Kerberos as the authentication type and enter your domain name. This allows each request to authenticate through Active Directory before reaching target endpoints. Browser tests require no additional configuration. The private location automatically manages the Kerberos handshake so you can focus on verifying application availability and workflows.
Learn more in our documentation on installing a Windows private location and configuring Kerberos authentication.
Closing visibility gaps
Datadog Synthetic Monitoring extends coverage to Microsoft Active Directory’s Kerberos-based authentication. You can run automated tests within your domain to validate logins for internal applications and APIs. This ensures employees have continued access to the tools they rely on without interruption. Integrating Kerberos tests with the rest of your monitoring removes blind spots and provides a single source of truth for application performance, making it easier to correlate authentication failures with other system metrics like latency, network performance, or infrastructure health.
Getting started with Kerberos monitoring in Datadog Synthetics
With Kerberos support in Datadog Synthetics, you can proactively monitor the availability and performance of internal applications and APIs that use Microsoft Active Directory for authentication. By continuously validating login workflows and API endpoints, you can help employees stay productive, reduce the risk of authentication-related outages, and maintain unified visibility across your environment.
To learn more, read our documentation on Kerberos Authentication for Synthetic Monitoring. Or, if you’re new to Datadog, sign up for a 14-day free trial to start monitoring your Kerberos-protected applications today.
