Requests and uses Kerberos or NTLM tickets to authenticate (Uses Windows' Negotiate protocol) (Only works for Jenkins server on Windows)
A SSO plugin for Jenkins 1.586 and above, running on Windows in a domain environment, using only the built-in Jetty web server.
If you see HTTP 413 errors when using this plugin, you might need to increase the request header size. This is done by editing %JENKINS_HOME%\jenkins.xml and adding "
--requestHeaderSize=16384" to the Jenkins command-line argument.
For this plugin to work, Jenkins needs to be running as a service that has permission to perform kerberos authentication, and the system needs to have a domain configuration that allows kerberos authentication. See https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md for some tips on this.
My testing configuration has Jenkins running as hostname\Network Service, with HTTP/hostname and HTTP/hostname.domain SPNs. (NOTE: Previously used hostname\Local System, but changed it to hostname\Network Service for security purposes. Doing so originally broke the jenkins restart, until I edited permissions on the jenkins service using the Service Security Editor tool to allow Network Service to start/stop/restart the jenkins service.)
This uses the Waffle security classes to operate the single sign on, and relies the permissions settings of the Active Directory plugin for user permissions.
As a side note, do not enable impersonation unless every user who has permissions to edit job configurations also has write privileges on the corresponding workspaces...
This started because I failed to get KerberosSSO working on a Jenkins instance running on a Windows server, and so, apparently, have the creators of KerberosSSO. So I set out to create an extension that did have working SSO for an ActiveDirectory domain. This started out heavily based on the KerberosSSO plugin (see https://wiki.jenkins-ci.org/display/JENKINS/Kerberos+SSO+Plugin and https://github.com/jenkinsci/kerberos-sso-plugin), and then suffered the massive changes as I replaced the entire functionality of the extension, as well as how it was implemented (from using Plugin to instead use extension points).
Fix JENKINS-55697 Security-901 Set user seed on successful authentication
Update baseline Jenkins version to Jenkins 2.150.2
Update parent POM reference to 3.39
Update Waffle-JNA dependency to 1.9.0 (requires Java 8)
FireLoggedIn event does not require reflection anymore - as the pom dependency on the core changed to 1.586