Advanced Configuration for EasySSO

Users authenticated via Kerberos or NTLM (NTLMv2) Single Sign-On (SSO) based on the current domain workstation session, no login screen - no passwords asked.

All options in the advanced menu have standard values. You don't need to change any of these values if you're not sure.

  1. For the start – leave Kerberos authentication unchecked.

    Kerberos is notoriously fickle, and in many scenarios doesn't work by design.

    NTLM works where Kerberos doesn't. It makes sense to get NTLM working before proceeding to configure Kerberos.

  2. For the start – leave Log4J logging option unchecked.
     
  3. Set log file location.
     

  4. Set logging detail level. 

    Recommended log level for testing is 4 - this will display requests and responses, DNS queries as well as details of communication with Domain Controllers.

    For production use levels 1 or 2 is recommended.

  5. Consult with your Domain Administrator if use of "AD Site" is necessary

    Nowadays organisations often use multiple redundant Domain Controllers. They are often organised in groups known as"sites". While an End User workstation may be capable of "seeing" all Domain Controllers and connect to all of them for the sake of disaster recovery, a server often is only able to connect to the closest site (probably co-located in the same datacenter). Your Domain Administrator should be able to identify the name of the site EasySSO should use to discover all available Domain Controllers that are actually useable.

    You can attempt to list all sites available to you by running the following command from command-line:

    nltest /dclist:mydomain.org

    e.g.

    nltest /dclist:techtime.org

    returns:

    C:\Users\testuser1>nltest /dclist:techtime.org
Get list of DCs in domain 'techtime.org' from '\\dc.techtime.org'.
    dc.techtime.org [PDC]  [DS] Site: Default-First-Site-Name
The command completed successfully


    In the example above there is only one Domain Controller and it is in the site "Default-First-Site-Name". 
    This would be the value to insert into EasySSO parameter "AD Site" in the config screen.
  6. Canonical user account form depends on the format of usernames used in Atlassian application. Please read IOPLEX Jespa Operators Manual about this. Most installations will use canonical form=2 e.g. for usernames like "johndoe".
     
  7. Consult with our 24x7 support if you feel you need to change any other parameters

  8. For those brave – enable Kerberos authentication. Please make sure NTLM works first. 

    Read these articles in our FAQ:


Pair EasySSO with User Management for Jira and Confluence. Visit the Atlassian Marketplace for more information.



EasySSO articles

Try for free

EasySSO for Jira, Confluence, Bamboo, Bitbucket and Fisheye/Crucible 

Try for free