Mobile devices and computers not configured for Kerberos Single Sign-on can be offered SAML SSO instead.
This wizard helps you in the following ways:
Unless your instance is already mapped, the wizard will suggest an account name such as svc-jirajirasso-ssoissues
The wizard will suggest the strongest encryption type supported by your environment.
The final page of the wizard starts by displaying the configuration determined in the previous steps:
Step 1 of the task list describes describes how to create and / or configure the service account.
Depending on your AD permissions, you might need to hand this task over to your AD team.
The account svc-jirajirasso-sso issues needs to be created with "password never expires".
Then, in the account options, we need to enable "This account supports Kerberos AES 256 bit encryption":
Shows you how to create a keytab file using ktpass. Again, this is a task you might have to delegate to your AD team.
Note that if you have multiple domains, then you are offered to add keys to the existing keytab file.
A quick review of the syntax:
|Command / parameter||Description|
|ktpass is pre-installed in Windows 2008 onward. Located in c:\Windows\System32|
HTTP is always used for web servers, also when using https.
issues.example.com is the canonical DNS name of JIRA
EXAMPLE.LOCAL is the Kerberos realm name of the Active Directory Domain
Maps the /princ name above to the account svc-jirajirasso-ssoissues.
ktpass will add this attribute on the account:
|Specifies the encryption type used when generating keys in the keytab. Must match the account supported encryption type.|
|The general ptype, recommended by Microsoft.|
|Output location of the generated keytab file|
In our case, we got a failing test. Internet Explorer has not been configured to send Kerberos tickets to issues.example.com. It falls back to sending NTLM tickets instead (which is seen as a usename and password popup)
We need to make sure issues.example.com is placed in the Local Intranet Security Zone, since that is a requirement for Internet Explorer to send Kerberos tickets.