Use Integrated Authentication over Kerberos when connecting to MSSQL on Linux
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
The content on this page relates to platforms which are not supported. Consequently, Atlassian Support cannot guarantee providing any support for it. Please be aware that this material is provided for your information only and using it is done so at your own risk.
This page will help guide you with setting up Kerberos authentication to an external MSSQL server from Linux. More information about using an external MSSQL database can be found at Connect Bitbucket to SQL Server.
Solution
Create a Kerberos configuration file
Create a krb5.conf file with the appropriate configuration for your instance. A sample from Microsoft is provided below.
krb5.conf
[libdefaults]
default_realm = YYYY.CORP.CONTOSO.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.yyyy.corp.contoso.com = YYYY.CORP.CONTOSO.COM
.zzzz.corp.contoso.com = ZZZZ.CORP.CONTOSO.COM
[realms]
YYYY.CORP.CONTOSO.COM = {
kdc = krbtgt/YYYY.CORP. CONTOSO.COM @ YYYY.CORP. CONTOSO.COM
default_domain = YYYY.CORP. CONTOSO.COM
}
ZZZZ.CORP. CONTOSO.COM = {
kdc = krbtgt/ZZZZ.CORP. CONTOSO.COM @ ZZZZ.CORP. CONTOSO.COM
default_domain = ZZZZ.CORP. CONTOSO.COM
}See Using Kerberos Integrated Authentication to Connect to SQL Server from Microsoft or Kerberos Documentation for more information.
Configure JAVA to use the Kerberos configuration
Modify <Bitbucket Server Installation>/bin/setenv.sh and add the following to JVM_SUPPORT_RECOMMENDED_ARGS:
-Djava.security.krb5.conf=<PATH_TO>/krb5.confsetenv and environment variable changes in Bitbucket Server 5.0+
Starting with Bitbucket Server 5.0, setenv.sh and setenv.bat have been removed. The options that were set in this file can now be set via environment variables. Where to set the environment variable depends on which Operating System you're running on.
Linux
When using the atlbitbucket service on Linux, the environment variables are ignored. You must set the parameters in _start-webapp.sh (or start-bitbucket.sh). These values will be read when the service starts.
As an example, to set JVM_SUPPORT_RECOMMENDED_ARGS, you would add this line to the file:
Example
JVM_SUPPORT_RECOMMENDED_ARGS=-XX:+HeapDumpOnOutOfMemoryErrorWindows
Set the parameter as an environment variable for the user running Bitbucket Server. For example, if you want to set JVM_SUPPORT_RECOMMENDED_ARGS, create it as an environment variable and assign the appropriate value to it. When Bitbucket Server starts using the startup scripts or service, it will pick up and apply this value.
Update the JDBC URL to use Kerberos and Integrated Authentication
Update $BITBUCKET_HOME/shared/bitbucket.properties to change the JDBC URL so that it uses Kerberos and Integrated Authentication by changing the jdbc.url:
jdbc.url=jdbc:jtds:sqlserver://<MSSQL_HOST:1433;databaseName=<DB_NAME>;domain=<DOMAIN>;integratedSecurity=true;authenticationScheme=JavaKerberosBitbucket Server will need to be restarted after making these changes.
Was this helpful?