Both Kerberos and API token auth can be limited to specific IP address ranges.
The screenshow below shows how IP restrictions can be configured. The default is for every client will receive a Kerberos challenge. In the screenshot, all clients except any IP starting with 172.* will receive a challenge.
It’s possible to use a blocked list or a unblocked list strategy, depending on what is most convenient for your environment. Both lists allow either prefix notation or regular expression syntax, which is enabled by starting with ^.
NB: For Kantega Single Sign-on to evaluate IP restrictions correctly when behind a reverse proxy, the IP address must be communicated to the Atlassian application. See the yellow notification box in the below screenshot, which tells you the IP currently “seen” by the application.
