How Kerberos works
When Kerberos is set up in the Kantega SSO Enterprise app, it will send a request to the browser if a Kerberos ticket is available upon the first visit from a browser. If the browser is Kerberos enabled and runs in a Kerberos enabled environment (this is often, but not always a Windows environment), the browser will request the operating system for a Kerberos ticket for the given website. The website is, during this request, identified against Active Directory or other KDC (Key Distribution Center) using the site's canonical name (the DNS A record). The KDC names this identity as the service principal name.
The KDC will then, in cooperation with the operating system, generate a valid Ticket-Granting Ticket (TGT) for the website and send this back to the browser. The browser will send the ticket back to the website, and the Kantega Single sign-on add-on will pick up the ticket and verify its validity against the Keytab file. The Keytab file was earlier extracted from the KDC and installed in the Kantega Single sign-on add-on and is to be considered a certificate to approve each Kerberos ticket signed by the KDC.
If the Keytab file is outdated, the Kerberos ticket will not match its signature, and the login will be aborted. The character of the Kerberos ticket is that its size in kilobytes will increase when the user has been given many roles/access groups in the KDC. Its size may get up to 20-30 kilobytes or more. Since the way the Kerberos ticket is transferred is in the HTTP headers of the web page request, the maximum header size of the involved web servers running the website must often be increased. This involves increasing the header size of the Atlassian product's built-in Tomcat web server and also eventual reverse proxies used, for instance, to terminate SSL. The Web Server Test under the Kerberos tab in the Kantega SSO Enterprise app will analyze if the header size is set up correctly and give advice, if necessary, on how to increase this for some common web servers.
Before you configure your environment for Kerberos, it might also be useful to know how browser users are authenticated using Kerberos: