Setup guide for Integrating Kerberos Authentication for Confluence

Kerberos Authentication / Integrated Windows Authentication (IWA) gives the end-user access to Confluence without entering user name or password. Kerberos requires client machines to have access to a Key Distribution Center (KDC), which in the Windows world generally means Active Directory. For security reasons, AD is generally not reachable outside the local network/corporate intranet, making Kerberos mainly applicable within a company.

Setup Kerberos Authentication using miniOrange Kerberos Single Sign On/SSO Confluence add on:

Step 1: Create a Service Account

  1. Login to your AD Domain Controller with an administrator account details.
  2. Create a new user account and enable Password never expires option.


Step 2: Generate a Keytab file using ktpass

  1. You will need to run ktpass command in order to generate Keytab file, ktpass command is simply formed by filling up required options in the Generate Keytab section.
  2. Open a run administrator command window.
  3. Execute ktpass command.


Parameters needed to generate ktpass command.

  • Domain Name: Your LDAP server Domain is your domain name, in dot-separated uppercase format. You can easily identify your Domain name by running echo %USERDNSDOMAIN% on your client machine terminal.
  • Domain Controller Hostname/IP Address: Enter Hostname/IP Address of your Domain Controller (DC) machine. You can use nslookup <domain_name> to get an IP address from your Host Name.
  • Service Principal Name: Service Principal Name would be your Confluence Server Domain name. This must be unique on your Domain Controller.
  • Username: Enter the username of the newly created user. It should be in one of the following formats:
    1. domain\user example:- MINIORANGE\demouser
    2. Full User name with @
  • Password: Enter the password of the newly created user.
  • File Name: Keytab file name. If not set then takes a file name as Kerberos by default.
  • File Location: File Location where you want to save the Keytab file. It should end with “/” OR “\” based on System (Windows, Linux etc).
  • Confluence Server Location: Path name of your Confluence home directory. Specify the base path only.e.g. c:\apache-tomcat or /home/apache-tomcat


Step 3: Configure Tomcat

  1. Copy .keytab file created on AD Domain Controller (DC) and deploy it on “confluence_home/conf/” directory.
  2. Download the krb5.ini configuration file provided in the plugin and paste it to the “confluence_home/bin/” directory.
  3. Download the JAAS.conf file configuration file provided in the plugin and paste it to the “confluence_home/bin/” directory.
  4. Edit the web.xml file present in the “confluence_home/conf/” directory and include SPNEGO Filter provided in the plugin.


Step 4: Enable Kerberos Authentication

Select Enable Kerberos Authentication and click on Save.