Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


titleFallback to SAML

Mobile devices and computers not configured for Kerberos Single Sign-on can be offered SAML SSO instead.

This wizard helps you in the following ways:


Unless your instance is already mapped, the wizard will suggest an account name such as svc-jirajirasso-ssoissues

Encryption types

The wizard will suggest the strongest encryption type supported by your environment.


The final page of the wizard starts by displaying the configuration determined in the previous steps:

Image Modified

Step 1 of the task list describes describes how to create and / or configure the service account.

Depending on your AD permissions, you might need to hand this task over to your AD team.

The account svc-jirajirasso-sso issues needs to be created with "password never expires".

Then, in the account options, we need to enable "This account supports Kerberos AES 256 bit encryption":

Image RemovedImage Added

Step 2:

Shows you how to create a keytab file using ktpass. Again, this is a task you might have to delegate to your AD team.


Note that if you have multiple domains, then you are offered to add keys to the existing keytab file.

Image RemovedImage Added

A quick review of the syntax:

Command / parameterDescription
ktpass is pre-installed in Windows 2008 onward. Located in c:\Windows\System32
/princ HTTP/

HTTP is always used for web servers, also when using https. is the canonical DNS name of JIRA

EXAMPLE.LOCAL is the Kerberos realm name of the Active Directory Domain

/mapuser svc-jirajirasso-sso@EXAMPLEissues@EXAMPLE.LOCAL

Maps the /princ name above to the account svc-jirajirasso-ssoissues.

ktpass will add this attribute on the account:

servicePrincipalName: HTTP/
/crypto AES128AES2568-SHA1
Specifies the encryption type used when generating keys in the keytab. Must match the account supported encryption type.
The general ptype, recommended by Microsoft.
/out c:\
Output location of the generated keytab file


In our case, we got a failing test. Internet Explorer has not been configured to send Kerberos tickets to It falls back to sending NTLM tickets instead (which is seen as a usename and password popup)

Image RemovedImage Added

We need to make sure is placed in the Local Intranet Security Zone, since that is a requirement for Internet Explorer to send Kerberos tickets.