Versions Compared

Old Version 1

changes.mady.by.user Julian

Saved on

compared with

New Version 2

changes.mady.by.user Julian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Kerberos is a network authentication protocol designed by the Massachusetts Institute of Technology (MIT) for SSO in client-server environments, while SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) extends Kerberos SSO to web applications. 

 

Test Environment:

Test Settings:

  • Windows Server COMPUTER NAME is WIN-TKDH9LCHUUO 

  • WINDOWS DOMAIN is windows.local

  • DOMAIN USER is joget

  • JOGET DOMAIN is joget.windows.local

     

...

  1. In PowerShell, execute: setspn -s HTTP/{JOGET DOMAIN} {DOMAIN USER} e.g. 

    Code Block
    setspn -s HTTP/JOGET.WINDOWS.LOCAL joget

In PowerShell, check that the SPN has been registered 

Code Block
setspn -L joget

...

Code Block
Registered ServicePrincipalNames for CN=Joget,CN=Users,DC=windows,DC=local:
         HTTP/JOGET.WINDOWS.LOCAL

2. Setup Joget Server for Kerberos

2.1 Add Windows Domain to Hosts File

  1. Edit /etc/hosts (Linux or macOS) or C:\Windows\System32\drivers\etc\hosts (Windows) and add the server IP e.g. 

    Code Block
    192.168.56.102        windows.local win-tkdh9lchuuo win-tkdh9lchuuo.windows.local
    Info

    NOTE: This step is not required if the Joget Server is using the Windows Server as the DNS server.

 2.2 Create Kerberos Identification (Keytab) File

Using Windows

  1. In PowerShell on the Windows Server, generate a keytab file using the Ktpass tool

    Code Block
    ktpass -out joget.keytab -mapuser joget@WINDOWS.LOCAL  -pass Pass@word1  -crypto all -ptype KRB5_NT_PRINCIPAL  -princ HTTP/joget.windows.local@WINDOWS.LOCAL


  2. Copy the generated joget.keytab file into the Joget server e.g. at C:\Joget-v5-Enterprise\wflow\joget.keytab

  3. Java 8 may be required for the Kerberos authentication to work with the ktpass generated keytab. Download and install JDK 8, and edit the tomcat-run.bat startup script to update the JAVA_HOME path accordingly.

...

  1. Ensure that the Windows Server is reachable on the network from the Client PC.

  2. Set the DNS server to the IP address of the Windows Server. 

    Image Modified

  3. Ping the windows domain name to test. 

  4. Click on File Explorer, right click on the This PC and choose Properties. Click on Change Settings next to the computer name. Click on Change and set the Domain e.g. windows.local, keying in the domain administrator login when prompted. Restart after joining the domain is successful, and login as a domain user. 

...

  1. If using the Kerberos Directory Manager plugin approach, access http://joget.windows.local/jw/web/json/plugin/org.joget.plugin.kerberos.KerberosDirectoryManager/service to SSO.

  2. If using the Spring Security Kerberos Extension approach, access http://joget.windows.local/jw/web/sso to SSO. 

    Info

    • NOTE: Please note that for the SSO to work properly:

    • the client PC and Joget server must reside on different machines,

    • the Windows server and client PC must reside on the same Windows domain.

...

 

Resources

Introduction to Kerberos and SPNEGO

...

Configuring Kerberos on Windows Server

 

Kerberos with Java and Spring