Kerberos/NTML Authentication SSO into Jira

Step 1.1: Create a Service Account:

• Login to your AD Domain Controller with an administrator account details.
• Create a new user account and enable Password never expires option.

Step 1.2: Choose Active Directory:

• In order to allow signing into Jira from your windows account, your Jira instance needs you have at least one Active Directory configured.
• Active Directories can be added as User Directories in Jira.
• To add an active directory as a user directory, go to User Management > User Directories > Add Directory.
• You will need the Hostname or Host address, the Service Account name and Service Account password of your Active Directory.
• Once you have verified that the Active Directory has been successfully added, go back to the application. You will see a table with a list of all the configured Active Directories. Use the following steps to generate your keytab file :
• Select the Active directory that you wish to use, and then click on Use Selected Directory.

• A Keytab Configuration section will be displayed. Enter your Key Distribution Center hostname or IP address in the field provided.
• Enter the filename for your keytab file.
• Enter the location to which you want to save the keytab file.
• Enter the location of your tomcat installation. The location should be the root folder containing the bin and conf folders.
• Click on Save.

Step 1.3: Generate a Keytab file using ktpass:

• You will need to run ktpass command in order to generate Keytab file, ktpass command is simply formed by filling up required options in the Generate Keytab section..
• Open a run administrator command window.
• Execute ktpass command.

• Note:

  In-case you are hosting your Active Directory in a Linux environment, you will need the ktutil tool in-order to generate the keytab. Once you have installed all the necessary packages for this tool, you can use the command given below to generate the keytab. Replace the placeholders in angular brackets with your AD details(without the angular brackets).

• Request: ktutil
addent -password -p @ -k 1 -e RC4-HMAC
- -
wkt .keytab
q

Step 1.4: Configure Tomcat:

• Copy .keytab file created on AD Domain Controller (DC) and deploy it on “jira_home/conf/” directory.
• Download the krb5.ini configuration file provided in the plugin and paste it to the “jira_home/bin/” directory.
• Download the JAAS.conf file configuration file provided in the plugin and paste it to the “jira_home/bin/” directory.
• Edit the web.xml file present in the “jira_home/conf/” directory and include SPNEGO Filter provided in the plugin.
• Download spnego.jar file of SPNEGO Filter and paste it in “jira_home/lib/” directory.

Step 1.5: Enable Kerberos Authentication:

• Select Enable Kerberos Authentication and click on Save.

Step 2.1: Computer Account Creation:

• Log in on the Domain Controller (DC) with the Administrator user.
• Create a new computer account.

• Change password of computer account using this command. The computer account name ends with $.

Step 2.2: AD Configuration:

Use the following steps to configure AD.

• Domain Name (preWindows 2000)): Enter your AD domain name is your NetBios or PreWindows 2000 Name. Please find steps to get NetBiosName here.
• Domain Controller Host Name/IP Address: Enter your Hostname or IP address of the domain controller machine. Use nslookup to get IP address from your Host Name.
• Simple (non-FQDN) Host Name: This is your machine hostname. Run the command hostname on your DC machine to find the simple hostname, e.g. EC2AMAZ-0I8J83M
• Computer Account for Connection (Created in Step 1): Computer Account Name should be entered in this format: accountName$@domain.com
• Computer Account Password: Enter the password for the above Computer Account.
• Server Location: Enter the installation directory of your instance. Specify only the base path of the directory. e.g. C:\Atlassian\ or /home/Atlassian/
• Click on Save.

Step 2.3: Download Libraries:

• Edit the web.xml file present in “/conf/” directory and include the NTLM filter provided in the plugin.

• Download libraries.zip file, extract jar files and paste them in “/lib/” directory. Click here to download.
• Restart your server to apply the above changes.

Step 2.4: Enable NTLM Authentication:

• Select Enable NTML Authentication and click on Save.