Versions Compared

Old Version 3

changes.mady.by.user August Heltne

Saved on

compared with

New Version Current

changes.mady.by.user Steinar Line

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Task summary 

The final page of the wizard starts by displaying the configuration determined in the previous steps:

...

 

Step 1 of the task list describes how to create and/or configure the service account.

Depending on your AD permissions, you might need to hand this task over to your AD team.

The account svc-jirasso-issues needs to be created with "password never expires."

Info

Please note you will need to dedicate account svc-jirasso-issues to only keytab export since running the ktpass command will invalidate the user password. So always set up using another account for user directory synchronization.

And also, never reuse the same user account in AD for more domains or environments. Always create a new user account every time you need to run ktpass when setting up against a new domain.

 

Then, in the account options, we need to enable "This account supports Kerberos AES 256 bit encryption":

...

 

Step 2:

Shows you how to create a keytab file using ktpass. Again, this is a task you might have to delegate to your AD team.

Step 3:

Finally, you may upload the keytab file created. After the upload has finished, a login test will be performed. 

Note that if you have multiple domains, then you are offered to add keys to the existing keytab file.

...

A quick review of the syntax:

...

Command / parameter

...

Description

...

Code Block
ktpass

...

ktpass is pre-installed in Windows 2008 onward. Located in c:\Windows\System32

...

Code Block
/princ HTTP/issues.example.com@EXAMPLE.LOCAL

...

HTTP is always used for web servers, also when using https.

issues.example.com is the canonical DNS name of JIRA

EXAMPLE.LOCAL is the Kerberos realm name of the Active Directory Domain

...

Code Block
/mapuser svc-jirasso-issues@EXAMPLE.LOCAL

...

Maps the /princ name above to the account svc-jirasso-issues.

ktpass will add this attribute on the account:

Code Block
servicePrincipalName: HTTP/issues.example.com

...

Code Block
/crypto AES2568-SHA1

...

Specifies the encryption type used when generating keys in the keytab. Must match the account supported encryption type.

...

Code Block
/ptype KRB5_NT_PRINCIPAL

...

The general ptype, recommended by Microsoft.

...

Code Block
/out c:\issues.example.com

...

Output location of the generated keytab file

Running the ktpass command will output a keytab file and register issues.examples.com as an HTTP Kerberos service.

Specifically, ktpass will: 

  • Add a servicePrincipalName attribute on the account with the value HTTP/issues.example.com.

  • Set the userPrincipalName attribute to  HTTP/issues.example.com.

  • Ask the admin to provide a password and confirm it.

  • Set that password on the account.

  • Generate a keytab file with an AES-256 key for the principal  HTTP/issues.example.com@EXAMPLE.LOCAL.

...

Expand
titleShow Page Tree structure

Page Tree
root@parent
startDepth1

After uploading the keytab file, you will be redirected to the Kerberos Authentication Test page.

If you are lucky, this test will succeed on your first try:

...

In many situation you will have to prepare the browser(s) used in your organization to allow the Kerberos ticket to be sent to your site (for example https://wiki.example.com). For more details on configuring Zone settings, and configuring Chrome and Firefox on Windows, Mac, and Linux, see our Browser Configuration Guide.