...

Kerberos is a network authentication protocol designed by the Massachusetts Institute of Technology (MIT) for SSO in client-server environments, while SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) extends Kerberos SSO to web applications.

Test Environment:

Joget Server: Joget Workflow v5 Enterprise on Apache Tomcat 8 and Java 8
Windows Server: Windows Server 2012 R2 Datacenter (running on VirtualBox within a NAT Network, downloaded from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2)
Windows Client PC: IE11 on Windows 10 (running on VirtualBox within a NAT Network, downloaded from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/)

Test Settings:

Windows Server COMPUTER NAME is WIN-TKDH9LCHUUO
WINDOWS DOMAIN is windows.local
DOMAIN USER is joget
JOGET DOMAIN is joget.windows.local

...

In PowerShell, execute: setspn -s HTTP/{JOGET DOMAIN} {DOMAIN USER} e.g.
Code Block
setspn -s HTTP/JOGET.WINDOWS.LOCAL joget

In PowerShell, check that the SPN has been registered

Code Block
setspn -L joget

...

Code Block
Registered ServicePrincipalNames for CN=Joget,CN=Users,DC=windows,DC=local: HTTP/JOGET.WINDOWS.LOCAL

2. Setup Joget Server for Kerberos

2.1 Add Windows Domain to Hosts File

Edit /etc/hosts (Linux or macOS) or C:\Windows\System32\drivers\etc\hosts (Windows) and add the server IP e.g.
Code Block
192.168.56.102 windows.local win-tkdh9lchuuo win-tkdh9lchuuo.windows.local
Info
NOTE: This step is not required if the Joget Server is using the Windows Server as the DNS server.

2.2 Create Kerberos Identification (Keytab) File

Using Windows

In PowerShell on the Windows Server, generate a keytab file using the Ktpass tool:

Code Block
ktpass -out joget.keytab -mapuser joget@WINDOWS.LOCAL -pass Pass@word1 -crypto all -ptype KRB5_NT_PRINCIPAL -princ HTTP/joget.windows.local@WINDOWS.LOCAL

Copy the generated joget.keytab file into the Joget server e.g. at C:\Joget-v5-Enterprise\wflow\joget.keytab
Java 8 may be required for the Kerberos authentication to work with the ktpass generated keytab. Download and install JDK 8, and edit the tomcat-run.bat startup script to update the JAVA_HOME path accordingly.

...

Ensure that the Windows Server is reachable on the network from the Client PC.
Set the DNS server to the IP address of the Windows Server.
Image Modified
Ping the windows domain name to test.
Click on File Explorer, right click on the This PC and choose Properties. Click on Change Settings next to the computer name. Click on Change and set the Domain e.g. windows.local, keying in the domain administrator login when prompted. Restart after joining the domain is successful, and login as a domain user.

...

If using the Kerberos Directory Manager plugin approach, access http://joget.windows.local/jw/web/json/plugin/org.joget.plugin.kerberos.KerberosDirectoryManager/service to SSO.
If using the Spring Security Kerberos Extension approach, access http://joget.windows.local/jw/web/sso to SSO.
Info
NOTE: Please note that for the SSO to work properly:
the client PC and Joget server must reside on different machines,
the Windows server and client PC must reside on the same Windows domain.

Space shortcuts

Page tree

Versions Compared

Old Version 1

New Version 2

Key

2. Setup Joget Server for Kerberos

2.1 Add Windows Domain to Hosts File

2.2 Create Kerberos Identification (Keytab) File

Using Windows

Resources

Introduction to Kerberos and SPNEGO

Configuring Kerberos on Windows Server

Kerberos with Java and Spring

Space shortcuts

Page tree

Page History

Versions Compared

Old Version 1

New Version 2

Key

2. Setup Joget Server for Kerberos

2.1 Add Windows Domain to Hosts File

2.2 Create Kerberos Identification (Keytab) File

Using Windows

Resources

Introduction to Kerberos and SPNEGO

Configuring Kerberos on Windows Server

Kerberos with Java and Spring