[keycloak-user] GSS-API: Checksum failed

Marek Posolda mposolda at redhat.com
Mon Oct 9 09:32:52 EDT 2017 

This is some low-level Kerberos error. Typically it may be caused by the 
incorrect keytab as you pointed. Keytab doesn't use the correct 
principal. Or there are bad encryption type algorithms used in the 
/etc/krb5.conf file, which are not consistent with the keytab or not 
consistent with the server and client. Here some tip how can be checked 
if keytab is correct: 
https://stackoverflow.com/questions/8509087/checksum-failed-kerberos-spring-active-directory-2008 
.

Also it may help if you try HTTP on the new server too (just to nail 
down if it is really caused by the protocol http/https and not by some 
other misconfigurations). Also it's possible to enable some more logging 
to see the KErberos communication - see the "Troubleshooting" section of 
our Kerberos docs.

Marek

On 09/10/17 15:10, Malte Finsterwalder wrote:
> Hi there,
>
> I try to connect my Keycloak Server to an Active Directory Server for
> SSO on Windows clients.
> I got it to work on one server which is accessible via HTTP.
>
> Now I built up a new server with RedHat SSO and made it accessible via
> HTTPS only with an SSL certificate from our own authority.
> When I try to connect this server to out Active Directory, I always get
> a "Checksum failed" Error Message (see stracktrace below).
> Which Checksum is failing? Is this a problem of the keytab file? Of the
> SSL communication? ...?
>
> Any ideas what's actually failing and what can cause this?
>
> Greetings,
>     Malte
>
>
> java.security.PrivilegedActionException: GSSException: Failure
> unspecified at GSS-API level (Mechanism level: Checksum failed)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:422)
> 	at
> org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
> 	at
> org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:617)
> 	at
> org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:282)
> 	at
> org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:90)
> 	at
> org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:191)
> 	at
> org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)
> 	at
> org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
> 	at
> org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
> 	at
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
> 	at
> org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125)
> 			17 lines skipped for [javax.servlet, sun., org.jboss,
> java.lang.reflect.Method]
> 	at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> 	at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> 	at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> 	at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> 	at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> 	at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> 	at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> 	at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> 	at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 	at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> 	at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> 	at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 	at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> 	at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> 	at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> 	at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> 	at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> 	at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> 	at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 	at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> 	at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 	at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> 	at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
> 	at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
> 	at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> 	at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
> 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:209)
> 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:802)
> 	at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> 	at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> 	at java.lang.Thread.run(Thread.java:748)
> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
> level: Checksum failed)
> 			7 lines skipped for [sun.]
> 	at
> org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:172)
> 	at
> org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:135)
> 	at
> org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:125)
> 	... 61 more
> Caused by: KrbException: Checksum failed
> 			7 lines skipped for [sun.]
> 	... 70 more
> Caused by: java.security.GeneralSecurityException: Checksum failed
> 			4 lines skipped for [sun.]
> 	... 76 more
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list