Enable or disable Kerberos for specific clients

Owned by Jon Espen Ingvaldsen (Unlicensed)
Last updated: Apr 03, 2021 by Ole Kristian Aune (Unlicensed)

Kerberos auth can be limited to specific IP address ranges and/or User-Agents.

By default, every client will receive a Kerberos authentication challenge (SPNEGO) if Kerberos is enabled in KSSO. If a given client does not support Kerberos or is not part of the domain, this can result in a bad user experience. The way clients handle Kerberos challenges is both application and platform-dependent. The most common issue is to have Windows desktop browsers that are not part of the AD domain, for example, an employee working from home or external consultants. When a Windows browser is unable to obtain a Kerberos ticket for any reason, it shows an NTLM fallback popup like the following:

To prevent this from happening, this browser must not receive a Kerberos challenge in the first place. This is where client restrictions come in.

The purpose of Kerberos client restriction is to improve user experience only. It is not a security measure.

 

Client IP restrictions

The screenshot below shows how https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/235601943 can be configured. The default is that every client will receive a Kerberos challenge. In the screenshot, all clients except any IP starting with 172.* will receive a challenge.

 

User Agent restrictions

You may also restrict Kerberos from happening for a given User-Agent. This is relevant if you have some clients calling your Atlassian product that does not understand the Kerberos challenge Kantega Single Sign-on provides.

There is an already built-in list of known User Agents that is not Kerberos compatible. The functionality below lets you add your User-Agent restrictions to this list.