Kerberos Authentication / Integrated Windows Authentication (IWA) gives the end-user access to Confluence without entering user name or password. Kerberos requires client machines to have access to a Key Distribution Center (KDC), which in the Windows world generally means Active Directory. For security reasons, AD is generally not reachable outside the local network/corporate intranet, making Kerberos mainly applicable within a company.
Setup Kerberos Authentication using miniOrange Kerberos Single Sign On/SSO Confluence add on:
Step 1: Create a Service Account
- Login to your AD Domain Controller with an administrator account details.
- Create a new user account and enable Password never expires option.
Step 2: Generate a Keytab file using ktpass
- You will need to run ktpass command in order to generate Keytab file, ktpass command is simply formed by filling up required options in the Generate Keytab section.
- Open a run administrator command window.
- Execute ktpass command.
Parameters needed to generate ktpass command.
Domain Name: Your LDAP server Domain is your domain name, in dot-separated uppercase format. You can easily identify your Domain name by running echo %USERDNSDOMAIN% on your client
Domain Controller Hostname/IP Address: Enter Hostname/IP Address of your Domain Controller (DC) machine. You can use nslookup <domain_name> to get an IP address from your Host Name.
Service Principal Name: Service Principal Name would be your Confluence Server Domain name. This must be unique on your Domain Controller.
Username: Enter the username of the newly created user. It should be in one of the following formats:
1. domain\user example:- MINIORANGE\demouser
2. Full User name with @
Password: Enter the password of the newly created user.
File Name: Keytab file name. If not set then takes a file name as Kerberos by default.
File Location: File Location where you want to save the Keytab file. It should end with “/” OR “\” based on System (Windows, Linux etc).
Confluence Server Location: Path name of your Confluence home directory. Specify the base path only.e.g. c:\apache-tomcat or /home/apache-tomcat
Step 3: Configure Tomcat
- Copy .keytab file created on AD Domain Controller (DC) and deploy it on “confluence_home/conf/” directory.
- Download the krb5.ini configuration file provided in the plugin and paste it to the “confluence_home/bin/” directory.
- Download the JAAS.conf file configuration file provided in the plugin and paste it to the “confluence_home/bin/” directory.
- Edit the web.xml file present in the “confluence_home/conf/” directory and include SPNEGO Filter provided in the plugin.
Step 4: Enable Kerberos Authentication
Select Enable Kerberos Authentication and click on Save.