[keycloak-dev] Only first of multiple Kerberos federations can authenticate

Jim Groffen jim.groffen at gmail.com
Wed May 9 05:13:09 EDT 2018

Hello again,

I have a need to define two (or more) Kerberos federations to support
Kerberos service tickets from either realm. I have a different keytab file
for each realm.

Lets say I create a federation for REALM A with priority 1, and a second
federation for REALM B with priority 2.

When I attempt authentication as a user from REALM A I have no problem, but
a user from REALM B fails.

Checking the logs I can see that KeyCloak attempts to decrypt the REALM B
service ticket with the REALM A keytab and fails. Instead of moving on to
the lower priority REALM B federation, the Kerberos step of the auth flow
fails and moves on to the next step.

Should I raise a new JIRA issue for this problem?

I have successfully fixed this problem in my environment, but I am unsure
as to which approach is best, and want to make sure I'm fixing the issue
for everyone not just myself. Here are two options:

1: Only allow lower priority federations to attempt auth in certain
This solution detects why authentication failed and will only let other
federations attempt authentication if the ticket couldn't be decrypted -
indicating the ticket received was likely encrypted with a different key:


2: Let all Kerberos federations attempt auth in priority order until one
succeeds or all fail.


Are either of these solutions viable?

I found both Kerberos and LDAP federations with Kerberos enabled affected,
so I'm looking at fixing both.


More information about the keycloak-dev mailing list