[keycloak-dev] Only first of multiple Kerberos federations can authenticate
jim.groffen at gmail.com
Wed May 9 05:13:09 EDT 2018
I have a need to define two (or more) Kerberos federations to support
Kerberos service tickets from either realm. I have a different keytab file
for each realm.
Lets say I create a federation for REALM A with priority 1, and a second
federation for REALM B with priority 2.
When I attempt authentication as a user from REALM A I have no problem, but
a user from REALM B fails.
Checking the logs I can see that KeyCloak attempts to decrypt the REALM B
service ticket with the REALM A keytab and fails. Instead of moving on to
the lower priority REALM B federation, the Kerberos step of the auth flow
fails and moves on to the next step.
Should I raise a new JIRA issue for this problem?
I have successfully fixed this problem in my environment, but I am unsure
as to which approach is best, and want to make sure I'm fixing the issue
for everyone not just myself. Here are two options:
1: Only allow lower priority federations to attempt auth in certain
This solution detects why authentication failed and will only let other
federations attempt authentication if the ticket couldn't be decrypted -
indicating the ticket received was likely encrypted with a different key:
2: Let all Kerberos federations attempt auth in priority order until one
succeeds or all fail.
Are either of these solutions viable?
I found both Kerberos and LDAP federations with Kerberos enabled affected,
so I'm looking at fixing both.
More information about the keycloak-dev