Versions Compared

Old Version 8

changes.mady.by.user Steinar Line

Saved on

compared with

New Version 9

changes.mady.by.user Mari Fuglem

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleRequirements

Browser like Chrome, Edge and Internet Explorer requires the user to be logged into the computer with a domain account. These browsers will only send Kerberos tickets to sites that are in the Local Intranet Security Zone.

Edge and Google Chrome will also allow Kerberos to sites in the Local Intranet Zone.

Expand
titleManual configuration and inspection

For testing purposes, you might be able to configure Zone settings locally in Internet Explorer. 

Go to Tools / Internet Options / Security / Local Intranet / Sites / Advanced

However, in most organizations, the zone assignment is done centrally through the use of Group Policy Objects. 

For Internet Explorer, ensure "Display company intranet sites in compatibility view" is disabled. Jira/Confluence will not work properly in compatibility mode. See the following for further details.

Expand
titleGroup Policy configuration

In this example, we create a new policy to hold the settings. 

Image Modified

Create the new Group Policy and edit it after creation

Image Modified
Expand
titleSetting appropriate values
Right-

...

click and select Edit your Policy (see screenshot below):
Image Modified

In Group Policy Management Editor that comes up, navigate to:

Computer Configuration / Policies  / Administrative Templates / Windows Components  / Internet Explorer / Internet Control Panel / Security Page / Site to Zone Assignment List. 

And press the "Show" button on the left to edit the list.

Place the site host from the URL (e.g., issues.example.com) in zone 1, Intranet Zone.

The address can be specified with a wildcard (*.example.com), or with a FQDN (issues.example.com)

Info

Chrome has been known to interpret wildcard and FQDN differently in some cases. If Kerberos does not work with Chrome, try adding FQDN of the server URL to zone 1

Image Modified
Expand
titleVerifying the settings in Group Policy Management

Choose the newly created policy and Settings to the right. Verify that the Site to Zone Assignment List is correct.

If the settings are applied to Computer Configuration, the policy must be placed on an OU with computers or placed so that the policy is inherited.

Info

If the settings are applied to User Configuration, the policy must be placed on an OU with users or placed so that the policy is inherited.

...

Expand
titleVerifying the settings on the

...

client

On the client machine open a PowerShell or Command Prompt window and run the command gpupdate to refresh the new domain group policy:

Image Modified

Navigate in Windows to Control Panel - Internet Options - Security - Local Intranet - Sites - Advanced 

Verify that the settings from Group Policy are applied. "Automatically detect intranet network" should be left unchecked as we have seen unstable conditions for Kerberos if this is checked.

Image Modified

Verifying whether the site has been added to the Local Intranet Zone can also be checked in Internet Explorer by accessing https://issues.example.com and checking the Zone value.

...