Use Integrated Authentication over Kerberos when connecting to MSSQL on Linux in Jira
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.
This page will help guide you with setting up Kerberos authentication to an external MSSQL server from Linux. More information about using an external MSSQL database can be found at Connect Jira to SQL Server.
Create a Kerberos configuration file
Create a krb5.conf file with the appropriate configuration for your instance. A sample from Microsoft is provided below.
[libdefaults]
default_realm = YYYY.CORP.CONTOSO.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.yyyy.corp.contoso.com = YYYY.CORP.CONTOSO.COM
.zzzz.corp.contoso.com = ZZZZ.CORP.CONTOSO.COM
[realms]
YYYY.CORP.CONTOSO.COM = {
kdc = krbtgt/YYYY.CORP. CONTOSO.COM @ YYYY.CORP. CONTOSO.COM
default_domain = YYYY.CORP. CONTOSO.COM
}
ZZZZ.CORP. CONTOSO.COM = {
kdc = krbtgt/ZZZZ.CORP. CONTOSO.COM @ ZZZZ.CORP. CONTOSO.COM
default_domain = ZZZZ.CORP. CONTOSO.COM
}See Using Kerberos Integrated Authentication to Connect to SQL Server from Microsoft or Kerberos Documentation for more information.
Configure JAVA to use the Kerberos configuration
Modify $JIRA_INSTALL/bin/setenv.sh and add the following to JVM_SUPPORT_RECOMMENDED_ARGS:
-Djava.security.krb5.conf=<PATH_TO>/krb5.confUpdate the JDBC URL to use Kerberos and Integrated Authentication
Update $JIRA_HOME/dbconfig.xml to change the JDBC URL so that it uses Kerberos and Integrated Authentication by changing the database url:
<url>jdbc:sqlserver://<mssqlserverIP>:1433;databaseName=<JiraDB>;domain=<ad-domain>;integratedSecurity=true;authenticationScheme=JavaKerberos</url>Replace the parameters <JiraDB> and <ad-domain> with your database name, and the active directory domain.
In order for Jira to start properly, you should use dummy values for the username and password field values in the dbconfig.xml. Take a look at the example below:
<?xml version="1.0" encoding="UTF-8"?>
<jira-database-config>
<name>defaultDS</name>
<delegator-name>default</delegator-name>
<database-type>mssql</database-type>
<schema-name>jiraschema</schema-name>
<jdbc-datasource>
<url>jdbc:sqlserver://<mssqlserverIP>:1433;databaseName=<JiraDB>;domain=<ad-domain>;integratedSecurity=true;authenticationScheme=JavaKerberos</url>
<driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
<username>username</username>
<password>password</password>
<pool-min-size>40</pool-min-size>
<pool-max-size>40</pool-max-size>
<pool-max-wait>30000</pool-max-wait>
<validation-query>select 1</validation-query>
<min-evictable-idle-time-millis>4000</min-evictable-idle-time-millis>
<time-between-eviction-runs-millis>5000</time-between-eviction-runs-millis>
<pool-max-idle>40</pool-max-idle>
<pool-remove-abandoned>true</pool-remove-abandoned>
<pool-remove-abandoned-timeout>300</pool-remove-abandoned-timeout>
<pool-test-on-borrow>false</pool-test-on-borrow>
<pool-test-while-idle>true</pool-test-while-idle>
</jdbc-datasource>
</jira-database-config>Remember to grant "DB Owner" permissions on the database side for the user that you will use to authenticate to the database using the Active Directory, in order for Jira to be able to connect.
Jira Server will need to be restarted after making these changes.