Table of Contents

Introduction

This article describes the single sign-on (SSO) setup between Joget Workflow and Microsoft Active Directory using Kerberos and SPNEGO.

Kerberos is a network authentication protocol designed by the Massachusetts Institute of Technology (MIT) for SSO in client-server environments, while SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) extends Kerberos SSO to web applications.

介绍

本文介绍使用 Kerberos 和 SPNEGO在Joget Workflow 和Microsoft Active Directory之间进行单点登录（SSO）

Kerberos是由麻省理工学院（MIT）为客户端 - 服务器环境中的SSO 设计的网络身份验证协议，而SPNEGO（简单和受保护的GSS-API协商机制）将Kerberos SSO扩展到Web应用程序。

测试环境Test Environment

Joget Server: Joget Workflow v6 Enterprise on Apache Tomcat 8 and Java 8
Windows Server: Windows Server 2012 R2 Datacenter (running on VirtualBox within a NAT Network, downloaded from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2)
Windows Client PC: IE11 on Windows 10 (running on VirtualBox within a NAT Network, downloaded from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/)

Test Settings测试设置

Windows Server COMPUTER NAME is WIN计算机名称是 WIN-TKDH9LCHUUO
WINDOWS DOMAIN is windows域是 windows.localDOMAIN USER is joget
域用户是 joget
JOGET DOMAIN is joget域名是 joget.windows.local

Info
This article assumes familiarity with the basics of Windows Server and Windows 10 system and network administration This setup is tested within a local VirtualBox environment. Actual setup on a different environment should be adapted accordingly.

...

本文假设您熟悉Windows Server和Windows 10系统以及网络管理的基础知识
此设置在本地VirtualBox环境中进行测试。应相应调整不同环境的实际设置

Kerberos SSO设置配置

1.设置Windows Server Kerberos密钥分发中心（KDC）：

1.1安装DNS服务器

转到“服务器管理器”>“添加角色和功能”以安装DNS服务器。
Image Added
在网络和共享中心中，配置网络适配器，以便首选DNS服务器为127

1. Setup Windows Server Kerberos Key Distribution Center (KDC):

1.1 Install DNS Server

Go to Server Manager > Add roles and features to install the DNS Server.
Image Removed
In the Network and Sharing Center, configure the network adapter so that the Preferred DNS server is 127.0.0.1. 1。
在DNS管理器中，右键单击服务器名称并配置DNS服务器为windows.local创建正向查找区域
In the DNS Manager, right click on the server name and Configure a DNS Server to create a forward lookup zone for windows.local.

1.

...

2 将Joget域名添加到Windows Server DNS中

在windows.local DNS区域中，为joget添加A记录以指向Joget服务器IP

...

In the windows.local DNS zone, add an A record for joget to point to the Joget server IP.
Test ping to ensure that joget测试ping以确保joget.windows.local resolves to the correct IP. local解析为正确的IP

1.

...

3 为服务创建Windows域用户

在“Active Directory用户和计算机”中，创建域用户joget。这是要映射到Joget服务器使用的服务名称的用户帐户
Image Added

1.4 注册服务主体名称（SPN）

在PowerShell中，执行：setspn

In Active Directory Users and Computers, create a domain user joget. This is the user account to be mapped to the service name used by the Joget server. Image Removed

1.4 Register Service Principal Name (SPN)

In PowerShell, execute: setspn -s HTTP / {JOGET DOMAIN} {DOMAIN USER} e.g. 例如
Code Block
setspn -s HTTP/JOGET.WINDOWS.LOCAL joget

In PowerShell, check that the SPN has been registered

在PowerShell中，检查SPN是否已注册

Code Block
setspn -L joget

should display应该显示

Code Block
Registered ServicePrincipalNames for CN=Joget,CN=Users,DC=windows,DC=local: HTTP/JOGET.WINDOWS.LOCAL

2.

...

为Kerberos设置Joget Server

...

2.

...

1 将Windows域添加到Joget Server 的hosts文件

编辑

...

Edit /etc/hosts (Linux or macOS) or 或者 C:\Windows\System32\drivers\etc\hosts (Windows) and add the server IP e.g. 并且添加服务 IP ，比如
Code Block
192.168.56.102 windows.local win-tkdh9lchuuo win-tkdh9lchuuo.windows.local
Info
NOTE: This step is not required if the Joget Server is using the Windows Server as the DNS server.

2.2 Create Kerberos Identification (Keytab) File

Using Windows

注意：如果Joget Server使用Windows Server作为DNS服务器，则不需要此步骤。

2.2 创建Kerberos标识（Keytab）文件

使用Windows

在Windows Server上的PowerShell中，使用Ktpass工具生成密钥表文件 In PowerShell on the Windows Server, generate a keytab file using the Ktpass tool:
Code Block
ktpass -out joget.keytab -mapuser joget@WINDOWS.LOCAL -pass Pass@word1 -crypto all -ptype KRB5_NT_PRINCIPAL -princ HTTP/joget.windows.local@WINDOWS.LOCAL
Copy the generated joget.keytab file into the Joget server e.g. at C将生成的joget.keytab文件复制到Joget服务器，例如C:\Joget-v6-Enterprise\wflow\joget.keytab
Java 8 may be required for the Kerberos authentication to work with the ktpass generated keytab. Download and install JDK 8, and edit the tomcat-run.bat startup script to update the JAVA_HOME path accordingly.

Using Linux

Kerberos身份验证可能需要Java 8才能使用ktpass生成的密钥表。下载并安装JDK 8，并编辑tomcat-run.bat启动脚本以相应地更新JAVA_HOME路径。

使用Linux

安装krb5-user软件包 Install the krb5-user package
Code Block
sudo apt-get install krb5-user
and configure the realm as WINDOWS.LOCAL and the KDC as WIN-TKDH9LCHUUO.WINDOWS.LOCAL:88
In a terminal, run在终端中，执行
Code Block
kinit joget@WINDOWS.LOCAL
Info
IMPORTANT NOTE: The domain must be UPPER CASE
重要说明：域名必须为大写

该命令应该运行没有错误

在The command should run without errorConfirm the configuration in /etc/krb5.conf conf中确认配置

Code Block

[libdefaults]
default = WINDOWS.LOCAL
default_realm = WINDOWS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
   WINDOWS.LOCAL = {
       kdc = WIN-TKDH9LCHUUO.WINDOWS.LOCAL:88
       default_domain = WINDOWS.LOCAL
   }

[domain_realm]
   .windows.local = WINDOWS.LOCAL
   windows.local = WINDOWS.LOCAL

Info
IMPORTANT NOTE: The domain must be UPPER CASE
重要说明：域名必须为大写

在终端中，使用以下命令生成密钥表文件： In a terminal, generate a keytab file using:

Code Block
ktutil ktutil: add_entry -password -p HTTP/JOGET.WINDOWS.LOCAL@WINDOWS.LOCAL -k 1 -e arcfour-hmac-md5 Password for HTTP/JOGET.WINDOWS.LOCAL@WINDOWS.LOCAL: ktutil: wkt /etc/joget.keytab

List the SPNs in the keytab using: 使用以下方法列出密钥表中的SPN：
Code Block
ktutil ktutil: rkt /etc/joget.keytab ktutil: list

Using macOS

使用macOS

在终端中，运行 In a terminal, run
Code Block
kinit joget@WINDOWS.LOCAL
Info
IMPORTANT NOTE: The domain must be UPPER CASE
重要说明：域名必须为大写

该命令应该没有错误地运行，或者只是警告“用于身份验证的加密类型arcfour-hmac-md5（23）很弱并且将被弃用”

编辑 The command should run without error, or just a warning “Encryption type arcfour-hmac-md5(23) used for authentication is weak and will be deprecated”Edit /etc/krb5.conf

Code Block

[libdefaults]
default = WINDOWS.LOCAL
default_realm = WINDOWS.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
   WINDOWS.LOCAL = {
       kdc = WIN-TKDH9LCHUUO.WINDOWS.LOCAL:88
       default_domain = WINDOWS.LOCAL
   }

[domain_realm]
    .windows.local = WINDOWS.LOCAL
    windows.local = WINDOWS.LOCAL

Info
IMPORTANT NOTE: The domain must be UPPER CASE
重要说明：域名必须为大写

在终端中, 生成一个 keytab 文件In a terminal, generate a keytab file using:

Code Block
ktutil -k joget.keytab add -p HTTP/JOGET.WINDOWS.LOCAL@WINDOWS.LOCAL -e arcfour-hmac-md5 -V 1

List the SPNs in the keytab using: 使用以下方法列出密钥表中的SPN：
Code Block
ktutil -k joget.keytab list
Keep a copy of the generated joget.keytab file e.g. in 保留生成的joget.keytab文件的副本，例如在/etc/joget.keytabkeytab中

3.

...

配置Kerberos目录管理器插件

3.

...

1 上传Kerberos目录管理器插件

从Joget Marketplace 下载 Kerberos目录管理器插件，并将其上载到设置>管理插件中

...

Download the Kerberos Directory Manager plugin from the Joget Marketplace and upload it in Settings > Manage Plugins.

3.

...

2 配置Kerberos目录管理器插件

在“设置”>“目录管理器”中，选择Kerberos目录管理器插件，然后键入配置中的相应值：
- 服务主体：HTTP

...

In Settings > Directory Manager, select the Kerberos Directory Manager plugin, and key in the appropriate values in the configuration:

Service Principal: HTTP/JOGET.WINDOWS.LOCAL
Path to Keytab File: Keytab文件的路径：/etc/joget.keytab (Linux) or Ckeytab（Linux）或C:/Joget-v6-Enterprise/wflow/joget.keytab(Windows)Windows）
Debug Enabled: View debugging messages in the logs Enabled：查看日志中的调试信息

Note
Please remember to configure the LDAP Directory Manager as external directory manager to retrieve users from Active Directory.请记住将LDAP目录管理器配置为外部目录管理器以从Active Directory检索用户。

3.

...

3 配置API域白名单

在“设置”>“常规设置”中，将API域白名单设置为 * 以允许对Kerberos目录管理器的SSO请求。

...

In Settings > General Settings, set the API Domain Whitelist to * to allow SSO requests to the Kerberos Directory Manager.

4.

...

为SSO设置客户端PC

4.

...

1 将客户端PC添加到Windows域

确保可以从客户端PC在网络上访问Windows Server
将DNS服务器设置为Windows Server的IP地址
Ensure that the Windows Server is reachable on the network from the Client PC.
Set the DNS server to the IP address of the Windows Server.
Ping
the windows domain name to test. ping Windows域名进行测试。
Click
on File Explorer, right click on the This PC and choose Properties. Click on Change Settings next to the computer name. Click on Change and set the Domain e.g. windows.local, keying in the domain administrator login when prompted. Restart after joining the domain is successful, and login as a domain user. 单击文件资源管理器，右键单击此PC，然后选择属性。单击计算机名称旁边的“更改设置”。单击“更改”并设置域，例如windows.local，在出现提示时键入域管理员登录名。加入域后重新启动成功，并以域用户身份登录。

4.

...

2 为浏览器设置Windows身份验证

在IE中，单击Internet选项>安全性>本地Intranet站点>高级，然后添加Joget域，例如 In IE, click on Internet Options > Security > Local intranet site > Advanced and add the Joget domain e.g. http://joget.windows.local

4.

...

3 测试SSO

使用Kerberos目录管理器插件方法，访问

...

Using the Kerberos Directory Manager plugin approach, access http://joget.windows.local/jw/web/json/plugin/org.joget.plugin.kerberos.KerberosDirectoryManager/service to SSO. 到SSO。
Info
Please note that for the SSO to work properly:
the client PC and Joget server must reside on different machines
the Windows server and client PC must reside on the same Windows domain

...

请注意，要使SSO正常工作：
客户端PC和Joget服务器必须驻留在不同的计算机上
Windows服务器和客户端PC必须位于同一Windows域中

Page tree

Page History

Versions Compared

Old Version 1

New Version 2

Key