[keycloak-dev] KEYCLOAK-6225 Support Kerberos auth provider fallback

Jim Groffen jim.groffen at gmail.com
Tue May 8 05:04:25 EDT 2018

Hello folks,

I am using Keycloak with multiple Kerberos user federations, and am
affected by https://issues.jboss.org/browse/KEYCLOAK-6225 where only the
first user federation will attempt Kerberos auth.

I tried the solution suggested by Ricardo Zanini in KEYCLOAK-6225, this
works great for me.

Ricardo's suggestion is to change SPNEGO authenticators in LDAP and
Kerberos user federations to return null instead of 'failed' or 'continue'.
A null return value causes the UserCredentialStoreManager to continue to
the next auth provider instead of failing the Kerberos auth attempt for all
providers if the first provider fails.

I have tested these changes in my deploy and would like to provide a pull
request, but I need some review and maybe a suggestion on how to add a
test. The following commit has the changes I've made so far:


Note I've reduced log noise as authentication attempts are expected to fail
when the Kerberos provider and user realm don't match.

Ricardo had further problems with a false-positive replay attack - my
situation is not affected by this problem so I'd like to push ahead with
this intermediary fix if possible. I'm unaffected because I have separate
realms with no trust, and separate keytab files per federation that contain
only the relevant keytab entry.

Thanks in advance!

More information about the keycloak-dev mailing list