Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip
titleFallback to SAML

Mobile devices and computers not configured for Kerberos Single Sign-on can be offered SAML SSO instead.


This wizard helps you in the following ways:

...

Unless your instance is already mapped, the wizard will suggest an account name such as svc-jirajirasso-ssoissues

Encryption types

The wizard will suggest the strongest encryption type supported by your environment.

...

The final page of the wizard starts by displaying the configuration determined in the previous steps:

Image Modified




Step 1 of the task list describes describes how to create and / or configure the service account.

Depending on your AD permissions, you might need to hand this task over to your AD team.

The account svc-jirajirasso-sso issues needs to be created with "password never expires".

Then, in the account options, we need to enable "This account supports Kerberos AES 256 bit encryption":


Image RemovedImage Added


Step 2:

Shows you how to create a keytab file using ktpass. Again, this is a task you might have to delegate to your AD team.

...

Note that if you have multiple domains, then you are offered to add keys to the existing keytab file.

Image RemovedImage Added


A quick review of the syntax:

Command / parameterDescription
ktpass
ktpass is pre-installed in Windows 2008 onward. Located in c:\Windows\System32
/princ HTTP/issues.example.com@EXAMPLE.LOCAL

HTTP is always used for web servers, also when using https.

issues.example.com is the canonical DNS name of JIRA

EXAMPLE.LOCAL is the Kerberos realm name of the Active Directory Domain

/mapuser svc-jirajirasso-sso@EXAMPLEissues@EXAMPLE.LOCAL

Maps the /princ name above to the account svc-jirajirasso-ssoissues.

ktpass will add this attribute on the account:

servicePrincipalName: HTTP/issues.example.com
/crypto AES128AES2568-SHA1
Specifies the encryption type used when generating keys in the keytab. Must match the account supported encryption type.
/ptype KRB5_NT_PRINCIPAL
The general ptype, recommended by Microsoft.
/out c:\issues.example.com
Output location of the generated keytab file

...

In our case, we got a failing test. Internet Explorer has not been configured to send Kerberos tickets to issues.example.com. It falls back to sending NTLM tickets instead (which is seen as a usename and password popup)

Image RemovedImage Added


We need to make sure issues.example.com is placed in the Local Intranet Security Zone, since that is a requirement for Internet Explorer to send Kerberos tickets.

...