...
It helps you collect some essential information about your environment.
It shows you how to create and/or configure an Active Directory account.
It shows you the ktpass command you will use to create a Kerberos keytab file, which our plugin needs to authenticate users.
Start page
In many cases, the wizard can suggest appropriate configuration values for you automatically.
If this is the case, you will be notified. You might want to jump straight to the task summary using the suggested values instead of going through each step.
...
For this guide, though, we will run through each step of the wizard.
Active Directory Connection
Connecting to your Active Directory lets the wizard inspect your AD, suggest values, and validate that your configuration is valid.
You can choose a pre-configured User Directory, or connect to an Active Directory server of your choice:
Canonical hostname
If issues.example.local is a DNS CNAME record, say for server123.example.local, then the canonical name is server123.example.local
Otherwise, if it's a DNS A record, then the canonical name is issues.example.com.
Usually, the wizard can determine this for you by looking it up in DNS on the server.
If that fails, the wizard will instruct you on how to determine this manually on the client-side.
...
Kerberos Realm name
The Kerberos Realm name looks something like EXAMPLE.LOCAL or ACCOUNTING.COMPANY.COM
It is your Active Directory Domain name in upper case, dot-separated format.
...
If the wizard can't look this up in AD, it will instruct you on how to determine this on your client.
Active Directory account
Kerberos services need to be mapped to an Active Directory account. We recommend you use a separate AD account to map each Kerberos service.
Unless your instance is already mapped, the wizard will suggest an account name such as svc-jirasso-issues.
...
Encryption types
The wizard will suggest the strongest encryption type supported by your environment.
Some factors which may limit your choice of encryption strength:
If your Domain Functional Level is Window 2003, then only RC-4 is supported.
AES-256 is only supported if the Java used for running your Atlassian product has the Unlimited Strength Policy Files installed
...
If your service is already mapped to account, then the strongest configured encryption type for that account is recommended.
In this case, the wizard has recommended AES-256:
...
Task summary
The final page of the wizard starts by displaying the configuration determined in the previous steps:
...
Step 1 of the task list describes how to create and/or configure the service account.
Depending on your AD permissions, you might need to hand this task over to your AD team.
The account svc-jirasso-issues needs to be created with "password never expires."
| Info |
|---|
Please note you will need to dedicate account svc-jirasso-issues to only keytab export since running the ktpass command will invalidate the user password. So always set up using another account for user directory synchronization. And also, never reuse the same user account in AD for more domains or environments. Always create a new user account every time you need to run ktpass when setting up against a new domain. |
Then, in the account options, we need to enable "This account supports Kerberos AES 256 bit encryption":
...
Step 2:
Shows you how to create a keytab file using ktpass. Again, this is a task you might have to delegate to your AD team.
Step 3:
Finally, you may upload the keytab file created. After the upload has finished, a login test will be performed.
Note that if you have multiple domains, then you are offered to add keys to the existing keytab file.
...
Command / parameter
...
Description
...
| Code Block |
|---|
ktpass |
...
ktpass is pre-installed in Windows 2008 onward. Located in c:\Windows\System32
...
| Code Block |
|---|
/princ HTTP/issues.example.com@EXAMPLE.LOCAL |
...
HTTP is always used for web servers, also when using https.
issues.example.com is the canonical DNS name of JIRA
EXAMPLE.LOCAL is the Kerberos realm name of the Active Directory Domain
...
| Code Block |
|---|
/mapuser svc-jirasso-issues@EXAMPLE.LOCAL |
...
Maps the /princ name above to the account svc-jirasso-issues.
ktpass will add this attribute on the account:
| Code Block |
|---|
servicePrincipalName: HTTP/issues.example.com |
...
| Code Block |
|---|
/crypto AES2568-SHA1 |
...
Specifies the encryption type used when generating keys in the keytab. Must match the account supported encryption type.
...
| Code Block |
|---|
/ptype KRB5_NT_PRINCIPAL |
...
The general ptype, recommended by Microsoft.
...
| Code Block |
|---|
/out c:\issues.example.com |
...
Output location of the generated keytab file
Running the ktpass command will output a keytab file and register issues.examples.com as an HTTP Kerberos service.
Specifically, ktpass will:
Add a
servicePrincipalNameattribute on the account with the valueHTTP/issues.example.com.Set the
userPrincipalNameattribute toHTTP/issues.example.com.Ask the admin to provide a password and confirm it.
Set that password on the account.
Generate a keytab file with an AES-256 key for the principal
HTTP/issues.example.com@EXAMPLE.LOCAL.
Note that ktpass must be running in a "run as administrator" cmd window by a user with Domain Admin permissions.
Browser configuration
After uploading the keytab file, you will be redirected to the Kerberos Authentication Test page.
If you're lucky, this test will succeed on your first try:
...
Internet Explorer
In our case, we got a failing test. Internet Explorer has not been configured to send Kerberos tickets to issues.example.com. It falls back to sending NTLM tickets instead (which is seen as a username and password popup)
...
We need to make sure issues.example.com is placed in the Local Intranet Security Zone since that is a requirement for Internet Explorer to send Kerberos tickets.
...
The zone settings are usually set enterprise-wide using Group Policies. Here's the GPO we used to place *.example.com and issues.example.com in the Local Intranet Zone (Zone 1):
...
Other browsers
...
| Child pages (Children Display) |
|---|