...
Usually, the wizard can determine this for you by looking it up in DNS on the server.
If that fails, the wizard will instruct you on how to determine this manually on the client-side.
...
Note that even if you access JIRA using the short name http://issues, the canonical name is always in the FQDN form. (It is never just issues, but issues.example.com)
...
If your service is already mapped to an account, then the strongest configured encryption type for that account is recommended.
...
Then, in the account options, we need to enable "This account supports Kerberos AES 256 bit encryption":
...
Step 2:
Shows you how to create a keytab file using ktpass. Again, this is a task you might have to delegate to your AD team.
...
A quick review of the syntax:
Command / parameter | Description | ||||
|---|---|---|---|---|---|
| ktpass is pre-installed in Windows 2008 onward. Located in c:\Windows\System32 | ||||
| HTTP is always used for web servers, also when using https. issues.example.com is the canonical DNS name of JIRA EXAMPLE.LOCAL is the Kerberos realm name of the Active Directory Domain | ||||
| Maps the /princ name above to the account svc-jirasso-issues. ktpass will add this attribute on the account:
| ||||
| Specifies the encryption type used when generating keys in the keytab. Must match the account supported encryption type. | ||||
| The general ptype, recommended by Microsoft. | ||||
| Output location of the generated keytab file |
Running the ktpass command will output a keytab file and register issues.examples.com as an HTTP Kerberos service.
...