diff --git a/modules/concepts/examples/authenticationclass-kerberos.yaml b/modules/concepts/examples/authenticationclass-kerberos.yaml
new file mode 100644
index 000000000..855375ee6
--- /dev/null
+++ b/modules/concepts/examples/authenticationclass-kerberos.yaml
@@ -0,0 +1,8 @@
+apiVersion: authentication.stackable.tech/v1alpha1
+kind: AuthenticationClass
+metadata:
+  name: kerberos-auth
+spec:
+  provider:
+    kerberos:
+      kerberosSecretClass: kerberos-auth
diff --git a/modules/concepts/pages/authentication.adoc b/modules/concepts/pages/authentication.adoc
index 1f85af71c..f345b2cf0 100644
--- a/modules/concepts/pages/authentication.adoc
+++ b/modules/concepts/pages/authentication.adoc
@@ -18,6 +18,7 @@ The following authentication providers are supported:
 * <<LDAP>>: Authenticate users using an LDAP server.
 * <<OIDC>>: Authenticate users using an OpenID connect provider.
 * <<TLS>>: Authenticate users with client TLS certificates.
+* <<Kerberos>>: Authenticate users with Kerberos keytabs.
 * <<Static>>: Authenticate users against a static list of users and passwords in a simple Kubernetes Secret.
 
 [#ldap]
@@ -76,6 +77,16 @@ A sample TLS provider looks as follows:
 include::example$authenticationclass-tls.yaml[]
 ----
 
+[#kerberos]
+=== Kerberos
+The `Kerberos` provider configures a product to authenticate users using Kerberos tickets issued by the Kerberos Key Distribution Center (KDC).
+The Kerberos provider defines `kerberosSecretClass` which points to a Kerberos SecretClass that contains the necessary KDC and realm information:
+
+[source,yaml]
+----
+include::example$authenticationclass-kerberos.yaml[]
+----
+
 [#static]
 === Static
 The `static` provider is used to represent a simple - static - set of users.