Skip to main content

Windows Integrated Authentication

Kerberos/SPNEGO for seamless Windows domain SSO

Overview

Windows Integrated Authentication (WIA) provides seamless Single Sign-On for users logged into Windows domain workstations. Users are automatically authenticated using their Windows credentials via the Kerberos/SPNEGO protocol.

Passwordless login
Kerberos tickets
Active Directory

Configuration

1. Create Service Principal

# On Active Directory Domain Controller
setspn -A HTTP/josso.example.com josso-service
ktpass /out josso.keytab /princ HTTP/josso.example.com@EXAMPLE.COM \
  /mapuser josso-service /pass * /crypto all

2. JOSSO Configuration

Authentication Scheme:
  Name: windows-integrated
  Type: SPNEGO/Kerberos

  Kerberos Configuration:
    Service Principal: HTTP/josso.example.com@EXAMPLE.COM
    Keytab File: /etc/josso/josso.keytab
    Realm: EXAMPLE.COM
    KDC: dc.example.com

  Fallback:
    Enable Form Login: true
    Fallback URL: /josso/signon/login.do
Previous
Directory
Next
Magic Link