[keycloak-dev] How to login via Kerberos and Windows AD

Stian Thorgersen stian at redhat.com
Tue Jul 14 02:45:45 EDT 2015 

Please use the user mailing list for support

----- Original Message -----
> From: "Matthew Casperson" <matthew.casperson at autogeneral.com.au>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 14 July, 2015 4:30:57 AM
> Subject: [keycloak-dev] How to login via Kerberos and Windows AD
> 
> I have done the following steps in an attempt to configure Windows 2008 AD to
> work with KeyCloak:
> 
>     1. Created a windows user called "Keycloak"
>     2. Run "setspn -s HTTP/virtual.local:8080 Keycloak"to assign the SPN to
>     the user
>     3. Run "ktpass -out keycloak.keytab -princ
>     HTTP/virtual.local:8080 at VIRTUAL.LOCAL -mapUser Keycloak -mapOp set -pass
>     password -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL" to get a keytab
>     file.
>     4. Set "Kerberos Realm" to "VIRTUAL.LOCAL", "Server principal" to
>     "HTTP/virtual.local:8080 at VIRTUAL.LOCAL" and set the location of the
>     keytab file in the "Keycloak LDAP User Federation Provider" screen.
>     5. Saved the following in C:\Windows\krb5.ini: [domain_realm]
>     .virtual.local = VIRTUAL.LOCAL virtual.local = VIRTUAL.LOCAL
> 
> When I attempt to log in though, I get the following error:
> 
> 02:21:58,009 INFO [stdout] (default task-4) principal is
> HTTP/virtual.local:8080 at VIRTUAL.LOCAL
> 02:21:58,009 INFO [stdout] (default task-4) Will use keytab
> 02:21:58,010 INFO [stdout] (default task-4) Commit Succeeded
> 02:21:58,010 INFO [stdout] (default task-4)
> 02:21:58,011 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
> (default task-4) SPNEGO login failed: jav
> a.security.PrivilegedActionException: GSSException: Defective token detected
> (Mechanism level: GSSHeader did not find the right tag)
> at java.security.AccessController.doPrivileged(Native Method)
> [rt.jar:1.7.0_79]
> at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_79]
> at
> org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:46)
> 
> I can't seem to find any reliable information on getting Keycloak configured
> with AD, nor on the error "GSSHeader did not find the right tag" (which
> seems to indicate everything from invalid config in the windows user account
> options to browsers requesting NTLM logins).
> 
> Can anyone point me in the right direction with configuring windows and
> Keycloak for Kerberos based logins?
> 
> --
> Matthew Casperson
> Senior Front End Developer
> Technology, Space & Distribution
> Auto & General Holdings Pty Ltd
> P: 07) 3377 8751 (Direct: 3377 8751 )
> F: 07) 3377 8833
> 
> 
> 
> This email is sent by Auto & General Insurance Company Ltd, Auto & General
> Services Pty Ltd, Auto & General Holdings Pty Ltd or a related body
> corporate (Auto & General) and is for the intended addressee.
> The views expressed in this email and attachments (email) reflect the views
> of the stated author but may not reflect views of Auto & General. This email
> is confidential and subject to copyright.
> It may be privileged. If you are not the intended addressee, confidentiality
> and privilege have not been waived and any use, interference with, or
> disclosure of this email is unauthorised.
> If you are not the intended addressee please immediately notify the sender
> and then delete the email. Auto & General does not warrant that this email
> is error or virus free.
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list