Versions Compared

Old Version 5

changes.mady.by.user Steinar Line

Saved on

compared with

New Version 6

changes.mady.by.user Ole Kristian Aune

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Our add-ons for Jira, Confluence, Bitbucket, Cruicible Crucible, and Bamboo follow an almost identical pattern. If you have one of those products, this guide is for you.

...

This youtube video shows the basic necessary steps taken to setup kerberos set up Kerberos login , and how the login experience will be when this it is set upconfigured.

Widget Connector
overlayyoutube
_templatecom/atlassian/confluence/extra/widgetconnector/templates/youtube.vm
width600px
urlhttps://www.youtube.com/watch?v=WTQRLPDxZwM
height400px

Setup wizard

In our add-on configuration page, click Run Kerberos Setup Wizard. 

...

  • It helps you collect some key essential information about your environment.

  • It shows you how to create and/or configure an Active Directory account account. 

  • It shows you the ktpass command you will use to create a Kerberos keytab file, which our plugin needs to authenticate users. 

Start page

In many cases, the wizard can suggest appropriate configuration values for you automatically.

If this is the case, you will be notified. You might want to jump straight to the task summary using the suggested values instead of going though through each step.

...

For the purpose of this guide, though, we will run through each steps step of the wizard.

Active Directory Connection

Connecting to your Active Directory lets the wizard inspect your AD, suggest values, and validate that your configuration is valid. 

You can choose a pre-configured User Directory, or connect to an Active Directory server of your choice:

Canonical host namehostname

If issues.examle.local is a DNS CNAME record, say for server123.example.local, then the canonical name is :   server123.example.local

Otherwise, if it's a DNS A record, then the canonical name is issues.example.com.

Usually, the wizard can determine this for you by looking it up in DNS on the server.

If that fails, the wizard will instruct you on how to determine this manually on the client-side.

...


Note that even if you access JIRA using the short name http://issues, the canonical name is always in the FQDN form. (It is never just issues, but issues.example.com)

...

Kerberos services need to be mapped to an Active Directory account. We recommend you use a separate AD account for the purpose of mapping to map each Kerberos service.

Unless your instance is already mapped, the wizard will suggest an account name such as svc-jirasso-issues.

...

Encryption types

The wizard will suggest the strongest encryption type supported by your environment.

...

  • If your Domain Functional Level is Window 2003, then only RC-4 is supported.

  • AES-256 is only supported if the Java used for running your Atlassian product has the Unlimited Strength Policy Files installed

...

Step 1 of the task list describes describes how to create and/or configure the service account.

...

The account svc-jirasso-issues needs to be created with "password never expires." .

Info

Please note you will need to dedicate account svc-jirasso-issues to only keytab export since running the ktpass command will invalidate the user password. So always set up using another account for user directory synchronization.

And also, never reuse the same user account in AD for more domains or environments. Always create a new user account every time you need to run ktpass when setting up agasint against a new domain.

Then, in the account options, we need to enable "This account supports Kerberos AES 256 bit encryption":

...

Finally, you may upload the keytab file created. After the upload has finished, a logon login test will be performed. 

Note that if you have multiple domains, then you are offered to add keys to the existing keytab file.

...

  • Add a servicePrincipalName attribute on the account with the value HTTP/issues.example.com.

  • Set the userPrincipalName attribute to  HTTP/issues.example.com.

  • Ask the admin to provide a password and confirm it.

  • Set that password on the account.

  • Generate a keytab file with an AES-256 key for the principal  HTTP/issues.example.com@EXAMPLE.LOCAL.

Note that ktpass must be running in a "run as administrator" cmd window by a user with Domain Admin permissions.

...

After uploading the keytab file, you will be redirected to the Kerberos Authentication Test page.

If you're lucky, this test will succeed on your first try:

...

In our case, we got a failing test. Internet Explorer has not been configured to send Kerberos tickets to issues.example.com. It falls back to sending NTLM tickets instead (which is seen as a usename username and password popup)

...

We need to make sure issues.example.com is placed in the Local Intranet Security Zone , since that is a requirement for Internet Explorer to send Kerberos tickets.

...

For more details on configuring Zone settings, and configuring Chrome and Firefox on Windows, Mac, and Linux, see our Browser Configuration Guide.