diff --git a/crates/stackable-operator/CHANGELOG.md b/crates/stackable-operator/CHANGELOG.md
index 6d7ebe9f4..df10d7e03 100644
--- a/crates/stackable-operator/CHANGELOG.md
+++ b/crates/stackable-operator/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- Add Kerberos AuthenticationProvider ([#880]).
+
+[#880]: https://github.com/stackabletech/operator-rs/pull/880
+
 ## [0.77.1] - 2024-09-27
 
 ### Fixed
diff --git a/crates/stackable-operator/src/commons/authentication/kerberos.rs b/crates/stackable-operator/src/commons/authentication/kerberos.rs
new file mode 100644
index 000000000..5b4ffe893
--- /dev/null
+++ b/crates/stackable-operator/src/commons/authentication/kerberos.rs
@@ -0,0 +1,11 @@
+use schemars::JsonSchema;
+use serde::{Deserialize, Serialize};
+
+#[derive(
+    Clone, Debug, Deserialize, Eq, Hash, JsonSchema, Ord, PartialEq, PartialOrd, Serialize,
+)]
+#[serde(rename_all = "camelCase")]
+pub struct AuthenticationProvider {
+    /// Mandatory SecretClass used to obtain keytabs.
+    pub kerberos_secret_class: String,
+}
diff --git a/crates/stackable-operator/src/commons/authentication/mod.rs b/crates/stackable-operator/src/commons/authentication/mod.rs
index b5356b512..bf5563b92 100644
--- a/crates/stackable-operator/src/commons/authentication/mod.rs
+++ b/crates/stackable-operator/src/commons/authentication/mod.rs
@@ -6,6 +6,7 @@ use strum::Display;
 
 use crate::client::Client;
 
+pub mod kerberos;
 pub mod ldap;
 pub mod oidc;
 pub mod static_;
@@ -77,6 +78,10 @@ pub enum AuthenticationClassProvider {
     /// The [TLS provider](DOCS_BASE_URL_PLACEHOLDER/concepts/authentication#_tls).
     /// The TLS AuthenticationClass is used when users should authenticate themselves with a TLS certificate.
     Tls(tls::AuthenticationProvider),
+
+    /// The [Kerberos provider](DOCS_BASE_URL_PLACEHOLDER/concepts/authentication#_kerberos).
+    /// The Kerberos AuthenticationClass is used when users should authenticate themselves via Kerberos.
+    Kerberos(kerberos::AuthenticationProvider),
 }
 
 impl AuthenticationClass {
@@ -183,6 +188,13 @@ mod tests {
         let tls_provider = AuthenticationClassProvider::Tls(AuthenticationProvider {
             client_cert_secret_class: None,
         });
-        assert_eq!("Tls", tls_provider.to_string())
+        assert_eq!("Tls", tls_provider.to_string());
+
+        let kerberos_provider = AuthenticationClassProvider::Kerberos(
+            crate::commons::authentication::kerberos::AuthenticationProvider {
+                kerberos_secret_class: "kerberos".to_string(),
+            },
+        );
+        assert_eq!("Kerberos", kerberos_provider.to_string());
     }
 }