Kerberos auth can be limited to specific IP address ranges and/or User-Agents.
By default, every client will receive a Kerberos authentication challenge (SPNEGO) if Kerberos is enabled in KSSO. If a given client does not support Kerberos or is not part of the domain, this can result in a bad user experience. The way clients handle Kerberos challenges is both application and platform-dependent. The most common issue is to have Windows desktop browsers that are not part of the AD domain, for example, an employee working from home or external consultants. When a Windows browser is unable to obtain a Kerberos ticket for any reason, it shows an NTLM fallback popup like the following:
To prevent this from happening, this browser must not receive a Kerberos challenge in the first place. This is where client restrictions come in.
The purpose of Kerberos client restriction is to improve user experience only. It is not a security measure.
You may also restrict Kerberos from happening for a given User-Agent. This is relevant if you have some clients calling your Atlassian product that does not understand the Kerberos challenge Kantega Single Sign-on provides.
There is an already built-in list of known User Agents that is not Kerberos compatible. The functionality below lets you add your User-Agent restrictions to this list.