...
This guide will show how to establish password-less Integrated Windows Authentication (Kerberos) single sign-on for a Confluence instance available at https://wiki.example.com. The Windows uses are logged into their computers using the Active Directory domain EXAMPLE.LOCAL.
...
Canonical host name
In our case wiki.example.com is the actual Canonical name (A RECORD) and we can use this. (If wiki.example.com was a DNS CNAME alias, say for server123.example.local, then the canonical name should be server123.example.local.)
...
You need to select the name you want for the account linked to the Kerberos keytab file. This account will later need to be created in your AD.
...
...
Encryption type
We strongly suggest you select the highest encryption type AES 256 for better security. Only in a mixed environment of older AD servers you might need some of the weaker encryption, but please note that this will leave your system weak for attacks.
...
Command / parameter | Description | ||||
|---|---|---|---|---|---|
| ktpass is pre-installed in Windows 2008 onward. Located in c:\Windows\System32 | ||||
| HTTP is always used for web servers, also when using https. issueswiki.example.com is the canonical DNS name of JIRAConfluence EXAMPLE.LOCAL is the Kerberos realm name of the Active Directory Domain | ||||
| Maps the /princ name above to the account svc-jirassoconfluence-issuessso. ktpass will add this attribute on the account:
| ||||
| Specifies the encryption type used when generating keys in the keytab. Must match the account supported encryption type. | ||||
| The general ptype, recommended by Microsoft. | ||||
| Output location of the generated keytab file |
...
Running the ktpass command will output a keytab file and register wiki.example.com as an HTTP Kerberos service.
...