[keycloak-user] GSS-API: Checksum failed
Marek Posolda
mposolda at redhat.com
Mon Oct 9 09:32:52 EDT 2017
This is some low-level Kerberos error. Typically it may be caused by the
incorrect keytab as you pointed. Keytab doesn't use the correct
principal. Or there are bad encryption type algorithms used in the
/etc/krb5.conf file, which are not consistent with the keytab or not
consistent with the server and client. Here some tip how can be checked
if keytab is correct:
https://stackoverflow.com/questions/8509087/checksum-failed-kerberos-spring-active-directory-2008
.
Also it may help if you try HTTP on the new server too (just to nail
down if it is really caused by the protocol http/https and not by some
other misconfigurations). Also it's possible to enable some more logging
to see the KErberos communication - see the "Troubleshooting" section of
our Kerberos docs.
Marek
On 09/10/17 15:10, Malte Finsterwalder wrote:
> Hi there,
>
> I try to connect my Keycloak Server to an Active Directory Server for
> SSO on Windows clients.
> I got it to work on one server which is accessible via HTTP.
>
> Now I built up a new server with RedHat SSO and made it accessible via
> HTTPS only with an SSL certificate from our own authority.
> When I try to connect this server to out Active Directory, I always get
> a "Checksum failed" Error Message (see stracktrace below).
> Which Checksum is failing? Is this a problem of the keytab file? Of the
> SSL communication? ...?
>
> Any ideas what's actually failing and what can cause this?
>
> Greetings,
> Malte
>
>
> java.security.PrivilegedActionException: GSSException: Failure
> unspecified at GSS-API level (Mechanism level: Checksum failed)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
> at
> org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:617)
> at
> org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:282)
> at
> org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:90)
> at
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:191)
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
> at
> org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
> at
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
> at
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125)
> 17 lines skipped for [javax.servlet, sun., org.jboss,
> java.lang.reflect.Method]
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:209)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
> level: Checksum failed)
> 7 lines skipped for [sun.]
> at
> org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:172)
> at
> org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:135)
> at
> org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:125)
> ... 61 more
> Caused by: KrbException: Checksum failed
> 7 lines skipped for [sun.]
> ... 70 more
> Caused by: java.security.GeneralSecurityException: Checksum failed
> 4 lines skipped for [sun.]
> ... 76 more
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list