How to configure GSSAPI authentication in PuTTY

Configuring GSSAPI authentication in PuTTY enables Kerberos single sign-on for SSH sessions on Windows 11, reducing password prompts and keeping interactive administration consistent across many servers.

In SSH, GSSAPI commonly negotiates a Kerberos-based method (such as gssapi-with-mic) where the client proves identity using the current logon ticket cache instead of sending a reusable secret across the network.

Successful GSSAPI logins require server-side support (for example OpenSSH with GSSAPIAuthentication enabled), accurate DNS hostnames that match the server service principal, and acceptable time sync; enabling credential delegation extends the ticket to the remote host and should be limited to trusted systems.

Related: How to enable or disable GSSAPI authentication in SSH
Related: How to use public key authentication in PuTTY

Steps to configure GSSAPI authentication in PuTTY:

  1. Launch PuTTY.
  2. Enter the SSH server hostname as a fully-qualified domain name in Host Name (or IP address).

    Kerberos typically fails when connecting by raw IP address because the ticket is issued to a hostname-based service principal.

  3. Confirm a valid Kerberos ticket exists for the current Windows logon session. 
    C:\> klist

Current LogonId is 0:0x3e7
Cached Tickets: (2)

#0>     Client: user@EXAMPLE.COM
        Server: krbtgt/EXAMPLE.COM@EXAMPLE.COM
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent
        Start Time: 12/16/2025 08:10:12 (local)
        End Time:   12/16/2025 18:10:12 (local)
##### snipped #####
  4. Open ConnectionSSHAuth in the category tree.
  5. Enable Attempt GSSAPI authentication.
  6. Enable Allow GSSAPI credential delegation only when multi-hop Kerberos is required.

    Credential delegation allows the remote server to reuse delegated credentials for onward access; enabling it on an untrusted host can expose domain resources.

  7. Set Auto-login username under ConnectionData when the SSH account name must be explicit.
  8. Return to the Session category.
  9. Enter a name in Saved Sessions.
  10. Click Save to store the configuration.
  11. Select the saved session and click Open.
  12. Accept the server host key prompt only when the fingerprint matches the expected server identity.

    Accepting an unexpected host key can indicate a man-in-the-middle attack or a server identity change.

    Related: How to update or delete PuTTY host key fingerprints on Windows

  13. Confirm authentication completes without a password prompt when GSSAPI succeeds.
  14. Open Event Log from the PuTTY window system menu to confirm GSSAPI authentication was attempted.