[keycloak-user] kerberos issue
Marek Posolda
mposolda at redhat.com
Fri Aug 10 02:57:23 EDT 2018
On 10/08/18 02:18, Fox, Kevin M wrote:
> I'm trying to setup ldap & kerberos for username/password auth.
>
> I have a slightly unusual setup so maybe I've hit a strange edge case bug.
> I have a read only ldap replica with users in it, that sources from Active Directory.
>
> I setup User Federation of type ldap. I set it up with Vendor: Active Directory so the schema was right. Authentication Type is set to none.
>
> I then turned on "Use Kerberos For Password Authentication" and have Allow Kerberos authentication set to false.
I've just checked that this currently won't work. If you want to use
KErberos for password validation, it requires to set both "Use Kerberos
For Password Authentication" and "Allow Kerberos authentication" to true.
If you want to use Kerberos just for username/password validations and
not for SPNEGO login, you can manually disable the "Kerberos"
authenticator in the
"Authentication" tab. Also if you don't set "Server Principal" and
KeyTab, the SPNEGO will be effectively disabled (even though using
Kerberos for username/password validation should still work)
Marek
> I ensured a proper krb5.conf and can kinit.
>
> I checked the logs and do see the proper kerberosRelm printed out of org.keycloak.storage.ldap.LDAPIdentityStoreRegistry
>
> User authentication is failing though. Through some stracing, I can see it trying to send the password to ldap. the ldap replica has no password info though, so this will always fail.
>
> Is this expected behavior in this config? It was surprising to me.
>
> Thanks,
> Kevin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list