[keycloak-user] Keycloak single sign on with Keberos(AD)
Marek Posolda
mposolda at redhat.com
Wed Jun 29 04:00:52 EDT 2016
Hi Raymond,
returning keycloak-user list back for tracking purposes.
What I can see in the server.log is happening is that:
- Keycloak ask browser to send SPNEGO token (by sending 401 with
"WWW-Authenticate: Negotiate" header). So far everything as expected
- Browser replies with SPNEGO token, however it uses NTLM as the
preferred choice ( First OID is 1.3.6.1.4.1.311.2.2.10 ) together with
NTLM token. The KRB5 OID ( 1.2.840.113554.1.2.2 ) is in the supported
mechanisms too.
- Keycloak replies with NegTokenTarg token when it's asking for sending
SPNEGO token backed by KRB5 instead of NTLM (as Keycloak doesn't
understant NTLM atm. There is related discussion on keycloak-user
http://lists.jboss.org/pipermail/keycloak-user/2016-June/006758.html )
- Browser doesn't respond to NegTokenTarg with SPNEGO+KRB5 token anymore
Not sure what are your possibilities TBH. Either somehow setup browser
to reply to second request with NegTokenTarg and send SPNEGO+KRB5 token.
Or re-configure your Windows domain (or client machines + browser) to
skip using NTLM. Right now, I don't have any clue how to do that TBH.
Marek
On 28/06/16 21:58, Zhou, Limin (Ray) wrote:
>
> Hi Marek
>
> If you haven’t looked at my previous server.log, then use this one
> instead, in this log we were getting an exception
>
> *GSSException: Defective token detected (Mechanism level: GSSHeader
> did not find the right tag)***
>
> When we hit the url, maybe this will make things easier
>
> Please let me know if you need anything more
>
> Thanks a lot
>
> Raymond
>
> *From:*Zhou, Limin (Ray)
> *Sent:* Tuesday, June 28, 2016 10:00 AM
> *To:* 'Marek Posolda'
> *Subject:* RE: [keycloak-user] Keycloak single sign on with Keberos(AD)
>
> Hi Marek
>
> I have attached my keycloak server log to you, after adding the two
> properties, we can see an exception shows up when I hitting my url,
> after the exception, I think the default keycloak login page shows up,
> and rest of the log were generated by my manual login
>
> Hope this can give us some clue
>
> Thanks a lot
>
> Raymond
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Tuesday, June 28, 2016 1:43 AM
> *To:* Zhou, Limin (Ray)
> *Subject:* Re: [keycloak-user] Keycloak single sign on with Keberos(AD)
>
> Thanks Raymond,
>
> is it possible to also enable the system properties
> |-Dsun.security.krb5.debug=true| and |-Dsun.security.spnego.debug=true
> and see if there are some more details in the log? You can add system
> properties either directly to standalone/configuration/standalone.xml
> file or by adding them to java opts in bin/standalone.conf|
>
> |Thanks,|
> |Marek|
>
> On 27/06/16 23:18, Zhou, Limin (Ray) wrote:
>
> Hello Marek
>
> Thanks for answering my post, following are the log piece after
> hitting the first page, hope this helps.
>
> Please let me know if you need anything more
>
> Thank you so much
>
> Raymond
>
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Debug is
> true storeKey true useTicketCache false useKeyTab true doNotPrompt
> true ticketCache is null isInitiator false KeyTab is
> C:\FIRMS-domain\kcsso.keytab refreshKrb5Config is false principal
> is HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM
> <mailto:HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM>
> tryFirstPass is false useFirstPass is false storePass is false
> clearPass is false
>
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) principal
> is HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM
> <mailto:HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM>
>
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Will use
> keytab
>
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Commit
> Succeeded
>
> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24)
>
> 2016-06-27 17:11:13,454 INFO [stdout] (default task-24)
> [Krb5LoginModule]: Entering logout
>
> 2016-06-27 17:11:13,454 INFO [stdout] (default task-24)
> [Krb5LoginModule]: logged out Subject
>
> *From:*Marek Posolda [mailto:mposolda at redhat.com]
> *Sent:* Monday, June 27, 2016 5:55 AM
> *To:* Zhou, Limin (Ray); keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] Keycloak single sign on with
> Keberos(AD)
>
> It may help if you enable all the possible debug/trace logging and
> post the log here. This may give more info what is the issue. See
> docs how to enable logging :
> https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/authentication/kerberos.html
>
> Try to send the log from the point once you trigger the
> authentication request (or from the point when you hit your app URL)
>
> Thanks,
> Marek
>
> On 24/06/16 20:22, Zhou, Limin (Ray) wrote:
>
> Hello everyone
>
> I am new to Keycloak and new to here
>
> Our web application is running on Jboss EAP 7, We have
> configured KeyCloak standalone server 1.9.7 running on
> different port(same server box) to manage the user
> authentication and authorization, behind KeyCloak we have
> configured Keberos in User Federation to talk our company AD
> server, we are able to login by using our AD account, but not
> in single sign on way, each time when we hitting the our app
> URL, the Keycloak login page will show up.
>
> It looks like the TGT or ST hand shake was not successful, is
> there any document I can reference it to debug the issue?
>
> Any comments or suggestion would be very welcome
>
> thanks in advance
>
> raymond
>
> ------------------------------------------------------------------------
>
> Moneris Solutions Corporation | 3300 Bloor Street West |
> Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris,
> please click here
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
> Please see the Moneris Privacy Policy here
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
>
> This e-mail may be privileged and/or confidential, and the
> sender does not waive any related rights and obligations. Any
> distribution, use or copying of this e-mail or the information
> it contains by other than an intended recipient is
> unauthorized. If you received this e-mail in error, please
> advise me (by return e-mail or otherwise) immediately.
>
> ------------------------------------------------------------------------
>
> Corporation Solutions Moneris | 3300, rue Bloor Ouest |
> Toronto | Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de
> Moneris, veuillez cliquer ici
> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>.
> Veuillez consulter la Politique de confidentialité de Moneris
> ici
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
>
>
> Ce courriel peut contenir des renseignements confidentiels ou
> privilégiés, et son expéditeur ne renonce à aucun droit ni à
> aucune obligation connexe. La distribution, l’utilisation ou
> la reproduction du présent courriel ou des renseignements
> qu’il contient par une personne autre que son destinataire
> prévu sont interdites. Si vous avez reçu ce courriel par
> erreur, veuillez m’en aviser immédiatement (par retour de
> courriel ou autrement).
>
>
> _______________________________________________
>
> keycloak-user mailing list
>
> keycloak-user at lists.jboss.org
> <mailto:keycloak-user at lists.jboss.org>
>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ------------------------------------------------------------------------
>
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto |
> Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris,
> please click here
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
> Please see the Moneris Privacy Policy here
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
>
> This e-mail may be privileged and/or confidential, and the sender
> does not waive any related rights and obligations. Any
> distribution, use or copying of this e-mail or the information it
> contains by other than an intended recipient is unauthorized. If
> you received this e-mail in error, please advise me (by return
> e-mail or otherwise) immediately.
>
> ------------------------------------------------------------------------
>
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto |
> Ontario | M8X 2X2 | Canada www.moneris.com
> <http://www.moneris.com> 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de Moneris,
> veuillez cliquer ici
> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>.
> Veuillez consulter la Politique de confidentialité de Moneris ici
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
>
>
> Ce courriel peut contenir des renseignements confidentiels ou
> privilégiés, et son expéditeur ne renonce à aucun droit ni à
> aucune obligation connexe. La distribution, l’utilisation ou la
> reproduction du présent courriel ou des renseignements qu’il
> contient par une personne autre que son destinataire prévu sont
> interdites. Si vous avez reçu ce courriel par erreur, veuillez
> m’en aviser immédiatement (par retour de courriel ou autrement).
>
> ------------------------------------------------------------------------
> Moneris Solutions Corporation | 3300 Bloor Street West | Toronto |
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> If you wish to unsubscribe from future updates from Moneris, please
> click here
> <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>.
> Please see the Moneris Privacy Policy here
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
>
> This e-mail may be privileged and/or confidential, and the sender does
> not waive any related rights and obligations. Any distribution, use or
> copying of this e-mail or the information it contains by other than an
> intended recipient is unauthorized. If you received this e-mail in
> error, please advise me (by return e-mail or otherwise) immediately.
> ------------------------------------------------------------------------
> Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto |
> Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
> Si vous désirez enlever votre nom de la liste d’envoi de Moneris,
> veuillez cliquer ici
> <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>.
> Veuillez consulter la Politique de confidentialité de Moneris ici
> <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
>
>
> Ce courriel peut contenir des renseignements confidentiels ou
> privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune
> obligation connexe. La distribution, l’utilisation ou la reproduction
> du présent courriel ou des renseignements qu’il contient par une
> personne autre que son destinataire prévu sont interdites. Si vous
> avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement
> (par retour de courriel ou autrement).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/3a725939/attachment-0001.html
More information about the keycloak-user
mailing list