Kerberos for REST

Kantega SSO Enterprise allows you to authenticate REST clients with Kerberos. The feature is disabled by default as it can interfere with existing integration. Note that you can specify URL paths, IP ranges and user agents to restrict Kerberos from triggering in unwanted situations.

The screenshot below shows you where to enable and configure Kerberos for REST, and the syntax for defining excluded URL paths.

See also how some user agents are excluded from getting Kerberos challenges.

Script examples

Windows Powershell

Log into Windows as a domain user for the domain where Kerberos has been set up. Then verify that Kerberos works for this user by opening a browser and navigating to your Atlassian site (for example https://confluence.example.com/users/viewmyprofile.action). When Kerberos login works, you should be directly logged in and it should be possible to do scripted REST requests from PowerShell for this user. Also, remember to activate “Kerberos for REST” as described above.

Open a PowerShell window and use the below example to verify that Kerberos for REST works for you. Please change the URLs to match your Atlassian site.

# Insert your Jira instance URL and ticket ID
$instanceUrl = "" # Example: "https://jira-dev.example.com"
$ticketId = "" # Example: "TEST-1"

# Login page URL
$loginUrl = "$instanceUrl/login.jsp"

# REST resource URL
$restResource = "$instanceUrl/rest/api/2/issue/$ticketId"

# User-Agent
$useragent = "Windows NT"

# Remove all existing kerberos tickets. This is done just to illustrate
# how the Invoke-WebRequest below requests a Kerberos ticket from AD
klist purge

# List all existing Kerberos tickets for this user. This should now be none.
klist

# Get a valid web session and print only the status code
$response = Invoke-WebRequest -UseDefaultCredentials -Uri $loginUrl -UserAgent $useragent -SessionVariable websession
Write-Output $response.StatusCode

# Invoke the REST request
Invoke-RestMethod -Method GET -Uri $restResource -UserAgent $useragent -WebSession $websession

# List all existing Kerberos tickets for this user which now should be
# typically two that were created if the Invoke-WebRequest worked
klist

Python

import requests
from requests_kerberos import HTTPKerberosAuth, OPTIONAL


def test_kerberos_auth_with_python(base_url: str, issue_id: str):
  endpoint = f"{base_url}/rest/api/2/issue/{issue_id}"

  # Send the request
  response = requests.get(endpoint, auth=HTTPKerberosAuth(mutual_authentication=OPTIONAL), verify=False)

  # Print the response
  if response.status_code == 200:
    print(f"Success: {response.status_code}")
    print(f"Response: {response.content}")
  else:
    print(f"Failed: {response.status_code}")
    print(f"Response: {response.text}")

# Insert your Jira instance URL and issue ID
instance_url = "" # Example: "https://jira-dev.example.com"
issue_id = "" # Example: "TEST-1"
test_kerberos_auth_with_python(instance_url, issue_id)

C#

using System.Net;
using System.Net.Http;
using System.Security.Cryptography.X509Certificates;
using System.Net.Security;
using RestSharp;

class Program {
    static void getJiraTicket(string instanceUrl, string ticketId) {

        var handler = new HttpClientHandler {
            // Uncomment the line below if the Jira instance is using a self-signed certificate
            // ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true,
            UseDefaultCredentials = true
        };

        var options = new RestClientOptions(instanceUrl + "/rest/api/") {
            ConfigureMessageHandler = _ => handler,
            Credentials = CredentialCache.DefaultCredentials
        };

        RestClient Client = new RestClient(options);
        var request = new RestRequest("2/issue/" + ticketId);

        var response = Client.Execute(request);

        if(response.StatusCode != HttpStatusCode.OK) {
            Console.WriteLine("Error: " + response.StatusCode);
            Console.WriteLine("ErrorException: " + response.ErrorException);
            return;
        }
        else {
            Console.WriteLine("Success: " + response.StatusCode);
            Console.WriteLine("Content: " + response.Content);
        }

    }

    static void Main(string[] args) {
        // Replace the values below with your Jira instance URL and ticket ID
        string instanceUrl = ""; // Example: "https://jira-dev.example.com"
        string ticketId = ""; // Example: "TEST-1"
        getJiraTicket(instanceUrl, ticketId);
    }
}