Setup guide for Integrating Kerberos Authentication for Jira

Kerberos Authentication / Integrated Windows Authentication (IWA) gives the end-user access to Jira without entering username or password. Kerberos requires client machines to have access to a Key Distribution Center (KDC), which in the Windows world generally means Active Directory. For security reasons, AD is generally not reachable outside the local network/corporate intranet, making Kerberos mainly applicable within a company.

Setup Kerberos Authentication using miniOrange add on:

Step 1: Create a Service Account

  1. Login to your AD Domain Controller with an administrator account details.
  2. Create a new user account and enable Password never expires option.

add-service-user-account

Step 2: Choose Active Directory

  • In order to allow signing into Jira from your windows account, your Jira instance needs you have at least one Active Directory configured.
  • Active Directories can be added as User Directories in Jira.
  • To add an active directory as a user directory, go to User Management > User Directories > Add Directory.
  • You will need the Hostname or Host address, the Service Account name and Service Account password of your Active Directory.

Once you have verified that the Active Directory has been successfully added, go back to the application. You will see a table with a list of all the configured Active Directories. Use the following steps to generate your keytab file :

  1. Select the Active directory that you wish to use, and then click on Use Selected Directory.
  2. A Keytab Configuration section will be displayed. Enter your Key Distribution Center hostname or IP address in the field provided.
  3. Enter the filename for your keytab file.
  4. Enter the location to which you want to save the keytab file.
  5. Enter the location of your tomcat installation. The location should be the root folder containing the bin and conf folders.
  6. Click on Save.

Step 3: Generate a Keytab file using ktpass

  1. You will need to run ktpass command in order to generate Keytab file, ktpass command is simply formed by filling up required options in the Generate Keytab section.
  2. Open a run administrator command window.
  3. Execute ktpass command.

        

Step 4: Configure Tomcat

  1. Copy .keytab file created on AD Domain Controller (DC) and deploy it on “jira_home/conf/” directory.
  2. Download the krb5.ini configuration file provided in the plugin and paste it to the “jira_home/bin/” directory.
  3. Download the JAAS.conf file configuration file provided in the plugin and paste it to the “jira_home/bin/” directory.
  4. Edit the web.xml file present in the “jira_home/conf/” directory and include SPNEGO Filter provided in the plugin.

Step 5: Enable Kerberos Authentication

Select Enable Kerberos Authentication and click on Save.

Setup NTLM Authentication using miniOrange add on:

Step 1: Computer Account Creation

  • Log in on the Domain Controller (DC) with the Administrator user.
  • Create a new computer account.

  • Change password of computer account using this command. The computer account name ends with $

 

Step 2: AD Configuration

Use the following steps to configure AD.

  1. Domain Name (preWindows 2000)): Enter your AD domain name is your NetBios or PreWindows 2000 Name. Please find steps to get NetBiosName here
  2. Domain Controller Host Name/IP Address: Enter your Hostname or IP address of the domain controller machine. Use nslookup <domain_name> to get IP address from your Host Name.
  3. Simple (non-FQDN) Host Name: This is your machine hostname. Run the command hostname on your DC machine to find the simple hostname, e.g. EC2AMAZ-0I8J83M
  4. Computer Account for Connection (Created in Step 1): Computer Account Name should be entered in this format: accountName$@domain.com
  5. Computer Account Password: Enter the password for the above Computer Account
  6. Server Location: Enter the installation directory of your instance. Specify only the base path of the directory. e.g. C:\Atlassian\ or /home/Atlassian/
  7. Click on Save.

 

Step 3: Download Libraries

  • Edit the web.xml file present in “/conf/” directory and include the NTLM filter provided in the plugin.
  •  Click here to download
  • Restart your server to apply the above changes.

 

Step 4: Enable NTLM Authentication

Select Enable NTML Authentication and click on Save.