Joget DX Preview Release Available for Download

Check out Joget DX, the next generation successor to Joget Workflow for faster, simpler digital transformation.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

This article describes the single sign-on (SSO) setup between Joget Workflow and Microsoft Active Directory using Kerberos and SPNEGO.

Kerberos is a network authentication protocol designed by the Massachusetts Institute of Technology (MIT) for SSO in client-server environments, while SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) extends Kerberos SSO to web applications. 

 

Test Environment

介绍

本文介绍 使用  Kerberos  和  SPNEGOJoget Workflow  和Microsoft  Active Directory之间进行单点登录(SSO)

Kerberos是由麻省理工学院(MIT)为客户端 - 服务器环境中的SSO 设计的网络身份验证协议  ,而SPNEGO(简单和受保护的GSS-API协商机制)将Kerberos SSO扩展到Web应用程序。 

测试环境

Test Settings测试设置

  • Windows Server COMPUTER NAME is WIN计算机名称 是 WIN-TKDH9LCHUUO 

  • WINDOWS DOMAIN is windows域是 windows.localDOMAIN USER is joget

  • 域用户是 joget

  • JOGET DOMAIN is joget域名 是 joget.windows.local

     

Info
  • This article assumes familiarity with the basics of Windows Server and Windows 10 system and network administration

  • This setup is tested within a local VirtualBox environment. Actual setup on a different environment should be adapted accordingly.

...

1. Setup Windows Server Kerberos Key Distribution Center (KDC):

1.1 Install DNS Server

...

Go to Server Manager > Add roles and features to install the DNS Server. 

Image Removed

...

  • 本文假设您熟悉Windows Server和Windows 10系统以及网络管理的基础知识

  • 此设置在本地VirtualBox环境中进行测试。应相应调整不同环境的实际设置

Kerberos SSO设置配置

1.设置Windows Server Kerberos密钥分发中心(KDC):

1.1安装DNS服务器

  1. 转到“服务器管理器”>“添加角色和功能”以安装DNS服务器。 

    Image Added

  2. 在网络和共享中心中,配置网络适配器,以便首选DNS服务器为127.0.0.1. 1。

  3. In the DNS Manager, right click on the server name and Configure a DNS Server to create a forward lookup zone for windows.local.在DNS管理器中,右键单击服务器名称并配置DNS服务器为windows.local创建正向查找区域

     

1.

...

In the windows.local DNS zone, add an A record for joget to point to the Joget server IP. 

 Image Removed

...

将Joget域名添加到Windows Server DNS中

 

  1. 在windows.local DNS区域中,为joget添加A记录以指向Joget服务器IP

     Image Added

  2. 测试ping以确保joget.windows.local解析为正确的IP

     

1.

...

  1. In Active Directory Users and Computers, create a domain user joget. This is the user account to be mapped to the service name used by the Joget server. Image Removed

1.4 Register Service Principal Name (SPN)

...

为服务创建Windows域用户

 

  1. 在“Active Directory用户和计算机”中,创建域用户joget。这是要映射到Joget服务器使用的服务名称的用户帐户

    Image Added

1.4 注册服务主体名称(SPN)

 

  1. 在PowerShell中,执行:setspn -s HTTP / {JOGET DOMAIN} {DOMAIN USER} e.g. 例如 

    Code Block
    setspn -s HTTP/JOGET.WINDOWS.LOCAL joget

In PowerShell, check that the SPN has been registered 

在PowerShell中,检查SPN是否已注册  

Code Block
setspn -L joget

should display应该显示 

Code Block
Registered ServicePrincipalNames for CN=Joget,CN=Users,DC=windows,DC=local:
         HTTP/JOGET.WINDOWS.LOCAL

2.

...

为Kerberos设置Joget Server

...

2.

...

将Windows域添加到Joget Server 的hosts文件

 

  1. 编辑 /etc/hosts (Linux or macOS) or   或者 C:\Windows\System32\drivers\etc\hosts (Windows) and add the server IP e.g. 并且添加服务 IP ,比如 

    Code Block
    192.168.56.102        windows.local win-tkdh9lchuuo win-tkdh9lchuuo.windows.local

    In PowerShell on the Windows Server, generate a keytab file using the Ktpass tool

    Info

    NOTE: This step is not required if the Joget Server is using the Windows Server as the DNS server.

2.2 Create Kerberos Identification (Keytab) File

Using Windows

  1. 注意:如果Joget Server使用Windows Server作为DNS服务器,则不需要此步骤。

2.2 创建Kerberos标识(Keytab)文件

 

使用Windows

  1. 在Windows Server上的PowerShell中,使用Ktpass工具生成密钥表文件  

    Code Block
    ktpass -out joget.keytab -mapuser joget@WINDOWS.LOCAL  -pass Pass@word1  -crypto all -ptype KRB5_NT_PRINCIPAL  -princ HTTP/joget.windows.local@WINDOWS.LOCAL


  2. Copy the generated joget.keytab file into the Joget server e.g. at C将生成的joget.keytab文件复制到Joget服务器,例如C:\Joget-v6-Enterprise\wflow\joget.keytab

  3. Java 8 may be required for the Kerberos authentication to work with the ktpass generated keytab. Download and install JDK 8, and edit the tomcat-run.bat startup script to update the JAVA_HOME path accordingly.

Using Linux

  1. Install the krb5-user package Kerberos身份验证可能需要Java 8才能使用ktpass生成的密钥表。 下载并安装JDK 8,并编辑tomcat-run.bat启动脚本以相应地更新JAVA_HOME路径。

使用Linux

  1. 安装krb5-user软件包 

    Code Block
    sudo apt-get install krb5-user
    

     and configure the realm as WINDOWS.LOCAL and the KDC as WIN-TKDH9LCHUUO.WINDOWS.LOCAL:88

  2. In a terminal, run在终端中,执行

    Code Block
    kinit joget@WINDOWS.LOCAL


    Confirm the configuration in
    Info

    IMPORTANT NOTE: The domain must be UPPER CASE

    The command should run without error

    重要说明:域名必须为大写


    该命令应该运行没有错误


  3. /etc/krb5.conf conf中确认配置 

    Code Block
    [libdefaults]
    default = WINDOWS.LOCAL
    default_realm = WINDOWS.LOCAL
    dns_lookup_realm = true
    dns_lookup_kdc = true
    
    [realms]
       WINDOWS.LOCAL = {
           kdc = WIN-TKDH9LCHUUO.WINDOWS.LOCAL:88
           default_domain = WINDOWS.LOCAL
       }
    
    [domain_realm]
       .windows.local = WINDOWS.LOCAL
       windows.local = WINDOWS.LOCAL
    Info

    IMPORTANT NOTE: The domain must be UPPER CASE

    In a terminal, generate a keytab file using: 

    重要说明:域名必须为大写

  4. 在终端中,使用以下命令生成密钥表文件: 

    Code Block
    ktutil
     ktutil: add_entry -password -p HTTP/JOGET.WINDOWS.LOCAL@WINDOWS.LOCAL -k 1 -e arcfour-hmac-md5
     Password for HTTP/JOGET.WINDOWS.LOCAL@WINDOWS.LOCAL:
     ktutil: wkt /etc/joget.keytab
  5. List the SPNs in the keytab using: 使用以下方法列出密钥表中的SPN: 

    Code Block
    ktutil
     ktutil: rkt /etc/joget.keytab
     ktutil: list

Using macOS

...

使用macOS

  1. 在终端中,运行 

    Code Block
    kinit joget@WINDOWS.LOCAL
    Edit
    Info

    IMPORTANT NOTE: The domain must be UPPER CASE

    The command should run without error, or just a warning “Encryption type arcfour-hmac-md5(23) used for authentication is weak and will be deprecated”

    重要说明:域名必须为大写


    该命令应该没有错误地运行,或者只是警告“用于身份验证的加密类型arcfour-hmac-md5(23)很弱并且将被弃用”

  2. 编辑 /etc/krb5.conf 

    Code Block
    [libdefaults]
    default = WINDOWS.LOCAL
    default_realm = WINDOWS.LOCAL
    dns_lookup_realm = true
    dns_lookup_kdc = true
    
    [realms]
       WINDOWS.LOCAL = {
           kdc = WIN-TKDH9LCHUUO.WINDOWS.LOCAL:88
           default_domain = WINDOWS.LOCAL
       }
    
    [domain_realm]
        .windows.local = WINDOWS.LOCAL
        windows.local = WINDOWS.LOCAL
    Info

    IMPORTANT NOTE: The domain must be UPPER CASE

    In a terminal, generate a keytab file using

    重要说明:域名必须为大写

  3. 在终端中, 生成一个 keytab 文件

    Code Block
     ktutil -k joget.keytab add -p HTTP/JOGET.WINDOWS.LOCAL@WINDOWS.LOCAL -e arcfour-hmac-md5 -V 1
  4. List the SPNs in the keytab using: 使用以下方法列出密钥表中的SPN:

    Code Block
     ktutil -k joget.keytab list
  5. Keep a copy of the generated joget.keytab file e.g. in 保留生成的joget.keytab文件的副本,例如在/etc/joget.keytabkeytab中

3.

...

配置Kerberos目录管理器插件

3.

...

上传Kerberos目录管理器插件

 

  1. 从Joget Marketplace 下载  Kerberos目录管理器插件,并将其上载到设置>管理插件中

3.

...

In Settings > Directory Manager, select the Kerberos Directory Manager plugin, and key in the appropriate values in the configuration: 

...

配置Kerberos目录管理器插件

 

  1. 在“设置”>“目录管理器”中,选择Kerberos目录管理器插件,然后键入配置中的相应值: 

    • 服务主体:HTTP/JOGET.WINDOWS.LOCAL

    • Path to Keytab File: Keytab文件的路径:/etc/joget.keytab (Linux) or Ckeytab(Linux)或C:/Joget-v6-Enterprise/wflow/joget.keytab(Windows)Windows)

    • Debug Enabled: View debugging messages in the logs Enabled:查看日志中的调试信息

    Note

    Please remember to configure the LDAP Directory Manager as external directory manager to retrieve users from Active Directory.请记住将LDAP目录管理器配置为外部目录管理器以从Active Directory检索用户。

3.

...

In Settings > General Settings, set the API Domain Whitelist to * to allow SSO requests to the Kerberos Directory Manager. 

配置API域白名单

 

  1. 在“设置”>“常规设置”中,将API域白名单设置为 * 以允许对Kerberos目录管理器的SSO请求。 

 

4.

...

为SSO设置客户端PC

4.

...

Ensure that the Windows Server is reachable on the network from the Client PC.

...

将客户端PC添加到Windows域

 

  1. 确保可以从客户端PC在网络上访问Windows Server

  2. 将DNS服务器设置为Windows Server的IP地址

    Ping

  3. the windows domain name to test. ping Windows域名进行测试。 

    Click

  4. on File Explorer, right click on the This PC and choose Properties. Click on Change Settings next to the computer name. Click on Change and set the Domain e.g. windows.local, keying in the domain administrator login when prompted. Restart after joining the domain is successful, and login as a domain user. 单击文件资源管理器,右键单击此PC,然后选择属性。单击计算机名称旁边的“更改设置”。单击“更改”并设置域,例如windows.local,在出现提示时键入域管理员登录名。加入域后重新启动成功,并以域用户身份登录。

4.

...

为浏览器设置Windows身份验证

 

  1. 在IE中,单击Internet选项>安全性>本地Intranet站点>高级,然后添加Joget域,例如   http://joget.windows.local  

4.

...

测试SSO

 

  1. 使用Kerberos目录管理器插件方法,访问  http://joget.windows.local/jw/web/json/plugin/org.joget.plugin.kerberos.KerberosDirectoryManager/service to SSO.  到SSO。

    Info

    Please note that for the SSO to work properly:

    • the client PC and Joget server must reside on different machines

    • the Windows server and client PC must reside on the same Windows domain

...

  1. 请注意,要使SSO正常工作:

    • 客户端PC和Joget服务器必须驻留在不同的计算机上

    • Windows服务器和客户端PC必须位于同一Windows域中

资源

Introduction to Kerberos and SPNEGO

Configuring Kerberos on Windows Server

Kerberos with Java and Spring

...