Not mean to beat up a dead horse but any though on having Crowd authenticates with Kerberos w/o having to buy additional plugin?

Correct.

That's actually one of the steps detailed in IWAAC's online documentation https://www.cleito.com/products/iwaac/documentation/

Just a heads-up – you'll need to configure firefox to allow gssapi.
In the address bar: about:config
I'll be careful...
search for "negotiate"
network.negotiate-auth.trusted-uris: domain.com

-Paul

Hi Ian,

IWAAC should already work with RHEL clients in your environment. Technically speaking, any Linux client should work as long as it belongs to the Active Directory domain. Many of our clients have successfully deployed it mixed environments (Windows, Mac OS X, Linux). The reason we do not officially support Linux clients is that would mean too many Linux distributions to test.

In the case of RHEL clients, if you used realmd for Active Directory integration (please check https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/index.html for a full list of available options for AD integration), the Kerberos configuration on the desktop should already be just fine and you should be able to automatically log onto your IWAAC enabled applications with Firefox.

Since you can download and test IWAAC for free, I suggest that you install it on a test environment. If it does not work out of the box with your RHEL clients, please drop us a line at support@cleito.com, we will be happy to do our best effort to make it work in your environment.

Best regards,

Bruno

Bruno –

This might be better asked in a different venue, but do you have any plans to support Linux clients? Specifically RHEL 7 and / or RHEL 6 are what I'd be interested in.

Thanks,

Ian

Hi,

We are proud to announce the release of our new add-on, Integrated Windows Authentication for Apps using Crowd (IWAAC) at https://marketplace.atlassian.com/plugins/com.cleito.iwaac

IWAAC uses SPNEGO/Kerberos to allow your Windows domain users to log into Jira, Confluence, or any other web app using Crowd as its user management system without entering a password.

Please check out https://www.cleito.com/products/iwaac/ for more details.

Best regards,

Bruno

AppFusions' Kerberos SSO Authenticator for AD & Atlassian Servers solution supports Confluence, JIRA, Crowd, FishEye, Crucible, Bamboo, SVN as of this writing. It was first released in June 2011 and continually supported since, through dozens of Atlassian version releases (esp. JIRA and Confluence; the others came later).

Deployed, the Kerberos SSO over HTTP authentication flow is as follows:

1. User gets a Kerberos ticket from Active Directory during Windows login to a domain joined PC.
2. With a Kerberos-enabled browser (MSIE, Chrome, and Firefox), the user accesses an Atlassian web application protected by the AppFusions Kerberos SSO Authenticator.
3. The AppFusions Kerberos SSO Authenticator denies access to the browser with a 401 response and negotiates with the browser to use Kerberos for authentication or fall back to basic authentication if Kerberos is not possible.
4. If Kerberos is negotiated, the web browser gets a service ticket from a domain controller for authentication.
5. The web browser sends the service ticket to the AppFusions Kerberos SSO Authenticator for validation with a domain controller.
6. Upon service ticket validation, the AppFusions Kerberos SSO Authenticator uses Atlassian Seraph to log the user into the Atlassian web application.

Flow diagram is here.Contact Info@appfusions.com for more information. Many many references, successes, renewals, upgrades.

we have Confluence (and soon Jira) deployed with a custom authenticator for Kerberos Logon. Adopting Crowd would be a step back for us because we have a password free infrastructure already

Reopening this issue since it is no longer resolved given that previously suggested plugins are no longer compatible with support versions of Crowd or exist.

The plugins referenced here are either deprecated or gone...