...

Kerberos is a network authentication protocol designed by the Massachusetts Institute of Technology (MIT) for SSO in client-server environments, while SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) extends Kerberos SSO to web applications.

This plugin source code is available in a new open source repository at https://github.com/jogetoss/. JogetOSS is a community-led team for open source software related to the Joget no-code/low-code application platform. Projects under JogetOSS are community-driven and community-supported, and you are welcome to contribute to the projects.

Test EnvironmentTest Environment:

Joget Server: Joget Workflow v5 Enterprise on Apache Tomcat 8 and Java 8
Windows Server: Windows Server 2012 R2 Datacenter (running on VirtualBox within a NAT Network, downloaded from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2)
Windows Client PC: IE11 on Windows 10 (running on VirtualBox within a NAT Network, downloaded from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/)

Test Settings:

Windows Server COMPUTER NAME is WIN-TKDH9LCHUUO
WINDOWS DOMAIN is windows.local
DOMAIN USER is joget
JOGET DOMAIN is joget.windows.local

Info
This article assumes familiarity with the basics of Windows Server and Windows 10 system and network administration This setup is tested within a local VirtualBox environment. Actual setup on a different environment should be adapted accordingly.

...

In PowerShell, execute: setspn -s HTTP/{JOGET DOMAIN} {DOMAIN USER} e.g.
Code Block
setspn -s HTTP/JOGET.WINDOWS.LOCAL joget

In PowerShell, check that the SPN has been registered

Code Block
setspn -L joget

...

Code Block
Registered ServicePrincipalNames for CN=Joget,CN=Users,DC=windows,DC=local: HTTP/JOGET.WINDOWS.LOCAL

2. Setup Joget Server for Kerberos

2.1 Add Windows Domain to Hosts File

Edit /etc/hosts (Linux or macOS) or C:\Windows\System32\drivers\etc\hosts (Windows) and add the server IP e.g.
Code Block
192.168.56.102 windows.local win-tkdh9lchuuo win-tkdh9lchuuo.windows.local
Info
NOTE: This step is not required if the Joget Server is using the Windows Server as the DNS server.

...

2.2 Create Kerberos Identification (Keytab) File

Using Windows

In PowerShell on the Windows Server, generate a keytab file using the Ktpass tool:

Code Block
ktpass -out joget.keytab -mapuser joget@WINDOWS.LOCAL -pass Pass@word1 -crypto all -ptype KRB5_NT_PRINCIPAL -princ HTTP/joget.windows.local@WINDOWS.LOCAL

Copy the generated joget.keytab file into the Joget server e.g. at C:\Joget-v5-Enterprise\wflow\joget.keytab
Java 8 may be required for the Kerberos authentication to work with the ktpass generated keytab. Download and install JDK 8, and edit the tomcat-run.bat startup script to update the JAVA_HOME path accordingly.

...

3.1 Upload Kerberos Directory Manager Plugin

Download the Kerberos the Kerberos Directory Manager plugin from the Joget Marketplace and upload it in Settings > Manage Plugins.

...

In Settings > General Settings, set the API Domain Whitelist to * to allow SSO requests to the Kerberos Directory Manager.

4. Setup Client PC for SSO

...

In IE, click on Internet Options > Security > Local intranet site > Advanced and add the Joget domain e.g. http://joget.windows.local

4.3 Test the SSO

If using Using the Kerberos Directory Manager plugin approach, access http://joget.windows.local/jw/web/json/plugin/org.joget.plugin.kerberos.KerberosDirectoryManager/service to SSO.
If using the Spring Security Kerberos Extension approach, access http://joget.windows.local/jw/web/sso to SSO.
Info

...

Please note that for the SSO to work properly:
the client PC and Joget server must reside on different machines

...

the Windows server and client PC must reside on the same Windows domain

...

Resources

Introduction to Kerberos and SPNEGO

...

Configuring Kerberos on Windows Server

...

Space shortcuts

Page tree

Versions Compared

Old Version 1

New Version Current

Key