[keycloak-user] New to Keycloak - stuck trying to setup SSO via Kerberos and Active Directory

[Consolodated Emails]

Marko,

Thank you for those links. I have come across them and have been using them
as reference.

I'm pretty sure I have LDAP working. Those instructions are very complete.
I can sync users and then authenticate to my app using those credentials.
When I update a user in Active Directory I can sync those changes to
Keycloak.

Where I'm stuck is the Kerberos setup & configuration. I could use more
information on how to install, configure it and what commands to run, etc.
The articles you posted are very brief about Kerberos setup.

For example in the Kerberos document there is a paragraph titled "Setup and
configuration of Keycloak server" it seems seems to be an important part of
the setup but this section is just a basic outline. Install a client,
configure it, edit the krb5.conf to add your realm, export a keytab and
secure the keytab file. Not details really.
https://keycloak.gitbooks.io/server-adminstration-guide/
content/topics/authentication/kerberos.html

In the "examples for Kerberos" step 4 is install the Kerberos client and
step 5 is configure it. There are one or two sentences with information but
not to much details on what they mean. There is supposed to be a
test.krb5.conf file which should explain more but the link is broken.
https://github.com/keycloak/keycloak/tree/3.0.0.Final/examples/kerberos


I spent most of the day researching but I haven't found much information on
how to setup Kerberos for Active Directory SSO. I don't have a lot of time
to experiment so following a walkthrough on getting Kerberos setup so linux
machines can join in a Active Directory domain might give me the info I
need or I might lose 3-6 hours.

One thing I'm not 100% is do I need to run a Kerberos client and server? In
my environment we want users to login to their Windows workstations, open
the browser and auto-login to our application with no login prompts. We use
Active Directory as the User Federation source and OpenID client as our
destination.


I've been putting a ton of hours in to the this project and I really
appreciate the help. :)

-Dustin

ᐧ

On Fri, Apr 14, 2017 at 5:30 AM, Marko Strukelj <mstrukel at redhat.com> wrote:

> One source of information you did not mention and might help you is
> Keycloak documentation:
>
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/user-federation/ldap.html
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/authentication/kerberos.html
>
>
> There is also an example for Kerberos: https://github.com/
> keycloak/keycloak/tree/3.0.0.Final/examples/kerberos
>
> And you may also want to check out our blog at http://blog.keycloak.org/
> for articles on MSAD integration.
>
>
> On Fri, Apr 14, 2017 at 1:19 AM, Consolodated Emails <unimail at edgestep.com
> > wrote:
>
>> Hi all,
>>
>> I have a big project due by end of the week and the last item I have to
>> deliver is Single Sign On for Active Directory users using IE,Firefox &
>> Chrome. I am able to login to my application if i use the Keycloak login
>> form but I can't get it to auto login. If I set Kerberos to Required under
>> Authentication, I get an error saying Kerberos is not setup. You cannot
>> login.
>>
>> Currently I'm investigating these as possible causes:
>> my browser doesn't seem to be passing Kerberos to Keycloak. I'm using
>> Fiddler to check headers but I can't get a clear understanding of what I
>> should look for. The best I can tell WWW-Authenticate Negotiate being sent
>> to me in the 401 response. I guess my browser isn't sending the Kerberos
>> credentials.
>>
>> I'm using a NGINX proxy in front of my application. I've found some
>> evidence of people updating configuration files in order to make this work
>> properly. But I'm not sure this applies to me, since my proxy doesn't sit
>> in front of the keycloak server.
>> https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile/
>> /jboss/keycloak/standalone/configuration/standalone.xml
>> <https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile//jboss/keycloak/standalone/configuration/standalone.xml>
>>
>> I don't think Kerberos is setup up properly under User Federation/Active
>> Directory (my LDAP's Config name).
>> II pieced together some information from Matt's article on using Keycloak
>> to authenticate with AD. He didn't go in to any detail about Kerberos
>> configuration for Active Directory. One line "Configure the Kerberos
>> integration like this:" and a screenshot is all I had to work with. After
>> doing some reading I'm left to think there is an important step that is
>> left out of all the articles, forum posts, user manual, etc. From what I
>> can tell I have to run a command in the container to create a Keytab and
>> it
>> has to have the proper permissions for Keycloak to access it. I also think
>> I have to setup /etc/kerb5.conf but I'm not sure what I need to do
>> exactly.
>> I can't find an article directly discussing Keycloak.
>>
>> http://matthewcasperson.blogspot.com/2015/07/authenticating-
>> via-kerberos-with.html
>>
>> My Env:
>> Windows Server 2012 R2
>> AWS Ec2
>> Active Directory
>> Pseudo workstation (I'm logging on as a non-domain admin for testing).
>>
>> Keycloak
>> AWS Ec2
>> Docker - Jboss/Keycloak:latest
>> Ubuntu 16:04 Host:
>> Container is Redhat based (obviously it's jboss).
>>
>> Ruby on Rails 1.8.7 application
>> AWS Ec2
>> Nginx Proxy in front of it.
>> OpenID client connected to KeyCloak
>>
>>
>> Under User Federation:
>> I've created an Active Directory Provider, it's able to sync users from my
>> test Active Directory.
>>
>> Authentication:
>> Kereberos
>>
>> Any help would be really appreciated.. I'm in a real tough spot on this
>> project.
>>
>> -Dustin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>