Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This guide will show how to establish password-less Integrated Windows Authentication (Kerberos) single sign-on for a Confluence instance available at https://wiki.example.com. The Windows uses are logged into their computers using the Active Directory domain EXAMPLE.LOCAL.

...

Canonical host name

In our case wiki.example.com is the actual Canonical name (A RECORD) and we can use this. (If wiki.example.com was a DNS CNAME alias, say for server123.example.local, then the canonical name should be server123.example.local.)

...

Command / parameter

Description

Code Block
ktpass

ktpass is pre-installed in Windows 2008 onward. Located in c:\Windows\System32

Code Block
/princ HTTP/issueswiki.example.com@EXAMPLE.LOCAL

HTTP is always used for web servers, also when using https.

issueswiki.example.com is the canonical DNS name of JIRAConfluence

EXAMPLE.LOCAL is the Kerberos realm name of the Active Directory Domain

Code Block
/mapuser svc-jirassoconfluence-issues@EXAMPLEsso@EXAMPLE.LOCAL

Maps the /princ name above to the account svc-jirassoconfluence-issuessso.

ktpass will add this attribute on the account:

Code Block
servicePrincipalName: HTTP/issueswiki.example.com
Code Block
/crypto AES2568-SHA1

Specifies the encryption type used when generating keys in the keytab. Must match the account supported encryption type.

Code Block
/ptype KRB5_NT_PRINCIPAL

The general ptype, recommended by Microsoft.

Code Block
/out c:\issueswiki.example.com

Output location of the generated keytab file

...

Running the ktpass command will output a keytab file and register wiki.example.com as an HTTP Kerberos service.

...