[keycloak-dev] KEYCLOAK-6225 Support Kerberos auth provider fallback

Bill Burke bburke at redhat.com
Tue May 8 08:22:31 EDT 2018

The null return should be line 689 in LDAPStorageProvider.  Logger
should probably be debug instead of warn too.

                    UserModel user =
findOrCreateAuthenticatedUser(realm, username);

                    if (user == null) {
                        logger.warnf("Kerberos/SPNEGO authentication
succeeded with username [%s], but couldn't find or create user with
federation provider [%s]", username, model.getName());
                        return null;// OLD CODE IS ---->

The authenticate method should return null too I believe.  I have to
talk to Marek though about this.  Kerberos token validation would be
redone for each LDAP provider.  I don't know if this is an expensive
operation or not and wonder if it should be optimized

On Tue, May 8, 2018 at 8:07 AM, Bill Burke <bburke at redhat.com> wrote:
> Ugh, sorry...that's not it...Sorry, I haven't looked at this code in a
> long time and I'm not the original author either....
> If you are using Kerberos backed by LDAP, then you should not be using
> the KerberosFederationProvider.  You should be enabling kerberos auth
> on your LDAP provider. See this:
> https://www.keycloak.org/docs/latest/server_admin/index.html#_kerberos
> On Tue, May 8, 2018 at 7:59 AM, Bill Burke <bburke at redhat.com> wrote:
>> But maybe I'm not understanding the problem.  JIRA seems to state that
>> it is one Kerberos realm, and multiple LDAP servers.  That's your
>> situation too, right?
>> On Tue, May 8, 2018 at 7:48 AM, Bill Burke <bburke at redhat.com> wrote:
>>> At first glance, this doesn't look like the correct fix.  Looks like
>>> the Kerberos Provider is looking for the user in local storage only.
>>> See line 233 of KerberosFederationProvider.
>>> findOrCreateAuthenticatedUser()
>>>         UserModel user =
>>> session.userLocalStorage().getUserByUsername(username, realm);
>>> I think you need to change this to
>>> session.users().getUserByUsername().  This might have fallen through
>>> the cracks when we ported to the new user storage SPI.
>>> On Tue, May 8, 2018 at 5:04 AM, Jim Groffen <jim.groffen at gmail.com> wrote:
>>>> Hello folks,
>>>> I am using Keycloak with multiple Kerberos user federations, and am
>>>> affected by https://issues.jboss.org/browse/KEYCLOAK-6225 where only the
>>>> first user federation will attempt Kerberos auth.
>>>> I tried the solution suggested by Ricardo Zanini in KEYCLOAK-6225, this
>>>> works great for me.
>>>> Ricardo's suggestion is to change SPNEGO authenticators in LDAP and
>>>> Kerberos user federations to return null instead of 'failed' or 'continue'.
>>>> A null return value causes the UserCredentialStoreManager to continue to
>>>> the next auth provider instead of failing the Kerberos auth attempt for all
>>>> providers if the first provider fails.
>>>> I have tested these changes in my deploy and would like to provide a pull
>>>> request, but I need some review and maybe a suggestion on how to add a
>>>> test. The following commit has the changes I've made so far:
>>>> https://github.com/jgroffen/keycloak/commit/634854748ba40ba20432540ac27f79a3c37874e2
>>>> Note I've reduced log noise as authentication attempts are expected to fail
>>>> when the Kerberos provider and user realm don't match.
>>>> Ricardo had further problems with a false-positive replay attack - my
>>>> situation is not affected by this problem so I'd like to push ahead with
>>>> this intermediary fix if possible. I'm unaffected because I have separate
>>>> realms with no trust, and separate keytab files per federation that contain
>>>> only the relevant keytab entry.
>>>> Thanks in advance!
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> --
>>> Bill Burke
>>> Red Hat
>> --
>> Bill Burke
>> Red Hat
> --
> Bill Burke
> Red Hat

Bill Burke
Red Hat

More information about the keycloak-dev mailing list