[keycloak-dev] How to login via Kerberos and Windows AD

Matthew Casperson matthew.casperson at autogeneral.com.au
Mon Jul 13 22:30:57 EDT 2015


I have done the following steps in an attempt to configure Windows 2008 AD
to work with KeyCloak:

   1. Created a windows user called "Keycloak"
   2. Run "setspn -s HTTP/virtual.local:8080 Keycloak"to assign the SPN to
   the user
   3. Run "ktpass -out keycloak.keytab -princ
   HTTP/virtual.local:8080 at VIRTUAL.LOCAL -mapUser Keycloak -mapOp set -pass
   password -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL" to get a keytab file.
   4. Set "Kerberos Realm" to "VIRTUAL.LOCAL", "Server principal" to
   "HTTP/virtual.local:8080 at VIRTUAL.LOCAL" and set the location of the
   keytab file in the "Keycloak LDAP User Federation Provider" screen.
   5. Saved the following in C:\Windows\krb5.ini:
   [domain_realm]
       .virtual.local = VIRTUAL.LOCAL
       virtual.local = VIRTUAL.LOCAL

When I attempt to log in though, I get the following error:

02:21:58,009 INFO  [stdout] (default task-4) principal is
HTTP/virtual.local:8080 at VIRTUAL.LOCAL
02:21:58,009 INFO  [stdout] (default task-4) Will use keytab
02:21:58,010 INFO  [stdout] (default task-4) Commit Succeeded
02:21:58,010 INFO  [stdout] (default task-4)
02:21:58,011 WARN
[org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default
task-4) SPNEGO login failed: jav
a.security.PrivilegedActionException: GSSException: Defective token
detected (Mechanism level: GSSHeader did not find the right tag)
        at java.security.AccessController.doPrivileged(Native Method)
[rt.jar:1.7.0_79]
        at javax.security.auth.Subject.doAs(Subject.java:415)
[rt.jar:1.7.0_79]
        at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:46)

I can't seem to find any reliable information on getting Keycloak
configured with AD, nor on the error "GSSHeader did not find the right tag"
(which seems to indicate everything from invalid config in the windows user
account options to browsers requesting NTLM logins).

Can anyone point me in the right direction with configuring windows and
Keycloak for Kerberos based logins?

-- 
*Matthew Casperson*
*Senior Front End Developer*
Technology, Space & Distribution
Auto & General Holdings Pty Ltd
P: 07) 3377 8751 (Direct: 3377 8751)
F: 07) 3377 8833

-- 


This email is sent by Auto & General Insurance Company Ltd, Auto & General Services Pty Ltd, Auto & General Holdings Pty Ltd or a related body corporate (Auto & General) and is for the intended addressee.
The views expressed in this email and attachments (email) reflect the views of the stated author but may not reflect views of Auto & General. This email is confidential and subject to copyright. 
It may be privileged. If you are not the intended addressee, confidentiality and privilege have not been waived and any use, interference with, or disclosure of this email is unauthorised. 
If you are not the intended addressee please immediately notify the sender and then delete the email. Auto & General does not warrant that this email is error or virus free.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20150714/3f09faeb/attachment.html 


More information about the keycloak-dev mailing list