[keycloak-user] Kerberos auth type displays basic auth prompt under Windows

John Dennis jdennis at redhat.com
Wed Jul 19 10:45:32 EDT 2017 

On 07/19/2017 04:20 AM, Marek Posolda wrote:
> On 18/07/17 22:07, Steven Mirabito wrote:
>> Hey,
>>
>> I have Keycloak configured to check passwords against an MIT Kerberos
>> server in my user federation source, and that works fine. I then set the
>> Kerberos authentication type to "alternative" - most of our users will be
>> coming in from personal devices where they'll just log in via the form, but
>> we do have a shared machine where this would be nice to have. However, I
>> started receiving complaints that when this option is enabled, any browser
>> under Windows will show a basic auth dialog which the user has to cancel
>> out of to reach the login page (other platforms show a blank "Kerberos
>> Unsupported" page and then redirect to the normal login page without a
>> dialog). To make matters worse, I can't seem to turn the option off now -
>> switching the Kerberos auth type to "disabled" will work for a little bit,
>> but after a short period of time it will turn itself back on and users will
>> start to see the basic auth dialog again.
>>
>> Are these known issues? Ideally, I'd like to be able to have the Kerberos
>> auth type enabled, but a solution to keep it disabled in the meantime would
>> be greatly appreciated as well.
> For the first question, I don't know how to disable the basic auth
> prompt TBH. I didn't tested on Windows. Are all the browsers like IE,
> Firefox, Chrome behave like this or just IE?

This is a known issue with just IE. I first became aware of it with Red 
Hat's IPA product (I often work with that team). Let me ping those folks 
and see if there is a known resolution.


> Maybe there is some switch in Windows domain or in browser to disable
> those prompts. Checked some sites, but not sure what is relevant:
> https://www.lansweeper.com/kb/141/enabling-or-disabling-login-prompts.html
> . Other option is to change authentication flow and replace
> SpnegoAuthenticator with custom one, which will return header 400
> instead of 401 . See this
> https://stackoverflow.com/questions/9859627/how-to-prevent-browser-to-invoke-basic-auth-popup-and-handle-401-error-using-jqu
> . However not sure if automatic kerberos/spnego authentication will
> still work in case that user has kerberos ticket, I guess likely not :/
> 
> For the second question, Kerberos authenticator is switched to
> ALTERNATIVE when you create or edit Kerberos federation provider or LDAP
> provider with Kerberos switched ON. So if you disable Kerberos on your
> LDAP storage provider or remove Kerberos provider, it won't change from
> DISABLED to ALTERNATIVE anymore.
> 
> Marek
> 
>>
>> Thank you!
>> -Steven
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


-- 
John

More information about the keycloak-user mailing list