...

Kerberos is a network authentication protocol designed by the Massachusetts Institute of Technology (MIT) for SSO in client-server environments, while SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) extends Kerberos SSO to web applications.  

This plugin source code is available in a new open source repository at https://github.com/jogetoss/. JogetOSS is a community-led team for open source software related to the Joget no-code/low-code application platform. Projects under JogetOSS are community-driven and community-supported, and you are welcome to contribute to the projects.

Test Environment

• Joget Server: Joget Workflow v5 Enterprise on Apache Tomcat 8 and Java 8

• Windows Server: Windows Server 2012 R2 Datacenter (running on VirtualBox within a NAT Network, downloaded from https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2012-r2)

• Windows Client PC: IE11 on Windows 10 (running on VirtualBox within a NAT Network, downloaded from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) 

...

• Windows Server COMPUTER NAME is WIN-TKDH9LCHUUO 

• WINDOWS DOMAIN is windows.local

• DOMAIN USER is joget

• JOGET DOMAIN is joget.windows.local 

  
  

...

1. Edit /etc/hosts (Linux or macOS) or C:\Windows\System32\drivers\etc\hosts (Windows) and add the server IP e.g. 

   Code Block
   192.168.56.102        windows.local win-tkdh9lchuuo win-tkdh9lchuuo.windows.local

   Info
   NOTE: This step is not required if the Joget Server is using the Windows Server as the DNS server.

 2.2 Create Kerberos Identification (Keytab) File

...

3.1 Upload Kerberos Directory Manager Plugin

1. Download the Kerberos the Kerberos Directory Manager plugin from the Joget Marketplace and upload it in Settings > Manage Plugins. 

   

...

1. In Settings > General Settings, set the API Domain Whitelist to * to allow SSO requests to the Kerberos Directory Manager. 

   

...

4. Setup Client PC for SSO

...

1. Ensure that the Windows Server is reachable on the network from the Client PC.

2. Set the DNS server to the IP address of the Windows Server. 

   Image Modified

3. Ping the windows domain name to test. 

   

4. Click on File Explorer, right click on the This PC and choose Properties. Click on Change Settings next to the computer name. Click on Change and set the Domain e.g. windows.local, keying in the domain administrator login when prompted. Restart after joining the domain is successful, and login as a domain user. 

   

...

1. In IE, click on Internet Options > Security > Local intranet site > Advanced and add the Joget domain e.g. http://joget.windows.local  

4.3 Test the SSO

1. If using Using the Kerberos Directory Manager plugin approach, access http://joget.windows.local/jw/web/json/plugin/org.joget.plugin.kerberos.KerberosDirectoryManager/service to SSO.

   If using the Spring Security Kerberos Extension approach, access http://joget.windows.local/jw/web/sso to SSO. 

   Info
   NOTE: Please note that for the SSO to work properly: the client PC and Joget server must reside on different machines, the Windows server and client PC must reside on the same Windows domain.

Resources

Introduction to Kerberos and SPNEGO

...

• https://venkatsadasivam.com/2009/08/29/single-sign-on-in-java-platform/

• http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/

• http://projects.spring.io/spring-security-kerberos/

• https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html

• http://docs.oracle.com/javase/jndi/tutorial/ldap/security/gssapi.html

• http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part1.html#PART1

• https://docs.oracle.com/cd/E23943_01/web.1111/e13707/sso.htm#SECMG481

• https://stackoverflow.com/questions/25289231/using-gssmanager-to-validate-a-kerberos-ticket

...