[keycloak-user] Authentication fails for OTP user with kerberos

Marek Posolda mposolda at redhat.com
Wed Jan 17 03:27:05 EST 2018 

The integration with FreeIPA is suppose to use SSSD userStorage 
provider. Have few questions to clarify:

1. If you have SSSD provider and your user doesn't have kerberos ticket, 
is Keycloak authentication work for both password-only and password+otp 
users?

2. If you have SSSD provider and your user has kerberos ticket, are you 
able to authenticate with Kerberos+SPNEGO?

Thanks,
Marek

On 17/01/18 06:16, Jochen Hein wrote:
> I'm running FreeIPA and have users with and without OTP.  OTP users
> authenticate with RADIUS (Privacyidea manages the tokens). My final goal
> is that users with a kerberos ticket can authenticate without password
> and users without ticket get asked for password+OTP (when configured).
>
> In FreeIPA a user is defined with password and radius authentication:
>
> $ ipa user-show jochen
>    User login: jochen
> ...
>    Kerberos principal: jochen at EXAMPLE.ORG
> ...
>    User authentication types: password, radius
>
> According to the FreeIPA docs LDAP bind works with password only, but
> kerberos needs password+OTP. That works fine with sssd and other
> applications.
>
> I'm now running keycloak 3.4.2 and played with it.  I've added a User
> Federation with LDAP to my FreeIPA server and enabled "Allow Kerberos
> Authentication".  After that I can log in with my Kerberos ticket
> without further authentication.  If I don't have a Kerberos ticket
> keycloak asks me for username and password - authentication works with
> LDAP bind as long as "Use Kerberos For Password Authentication" is
> disabled.
>
> For a regular (non-OTP) user I can authenticate with a Kerberos ticket.
> If the user does not have a Kerberos ticket, he is asked for username
> and password as expected, and authentication is successful.
>
> Another user with OTP-authentication in FreeIPA can also authenticate
> with his Kerberos ticket.
>
> If the OTP-user does not have a Kerberos ticket, keycloak asks for
> username and password (as expected).  If the user federation has "Use
> Kerberos for Password Authentication" not selected, the user in
> FreeIPA needs to have password+OTP (or password+RADIUS) allowed and
> can authenticate against FreeIPA-LDAP with password only - that's not
> what I want[1].
>
> When I enable "Use Kerberos For Password Authentication" non-OTP users
> can still authenticate, but OTP users can't. According to
> https://www.freeipa.org/page/V4/OTP#How_to_Test
> "Kerberos FAST is required for OTP operations." - and that's true.
>
> If I just use kinit I get "Generic preauthentication failure while
> getting initial credentials".  The kerberos log has:
>
> Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): AS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NEEDED_PREAUTH: jochen at EXAMPLE.ORG for krbtgt/JOCHEN.ORG at EXAMPLE.ORG, Additional pre-authentication required
> Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): preauth (encrypted_timestamp) verify failure: No matching key in entry
> Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): AS_REQ (4 etypes {18 17 16 23}) x.x.x.127: PREAUTH_FAILED: jochen at EXAMPLE.ORG for krbtgt/JOCHEN.ORG at EXAMPLE.ORG, Preauthentication failed
>
> debg log fom keycloak:
>
> 2017-08-08 21:24:17,473 INFO  [stdout] (default task-1) Debug is  true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> 2017-08-08 21:24:17,473 INFO  [stdout] (default task-1)                 [Krb5LoginModule] user entered username: jochen at EXAMPLE.ORG
> 2017-08-08 21:24:17,473 INFO  [stdout] (default task-1)
> 2017-08-08 21:24:17,605 INFO  [stdout] (default task-1)                 [Krb5LoginModule] authentication failed
> 2017-08-08 21:24:17,605 INFO  [stdout] (default task-1) Pre-authentication information was invalid (24) - PREAUTH_FAILED
> 2017-08-08 21:24:17,606 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=jochen.org, clientId=account, userId=3ebc8518-a488-4dce-bd94-4a72c03a5ed9, ipAddress=192.168.yy.xx, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://saml.jochen.org/auth/realms/jochen.org/account/login-redirect, code_id=eefbcc3e-f581-465c-bc28-7e37fc939ae6, username=jochen at example.org
>
> That look's like there is no FAST implemented, but that or Anonymous PKINIT
> seems to be needed for OTP authentication through Kerberos:
>
> https://www.freeipa.org/page/V4/OTP
> https://www.freeipa.org/page/V4/Kerberos_PKINIT
>
> On my systems the OTP-user can't kinit directly, but needs to "kinit -n"
> first:
>
> $ kinit otpuser
> kinit: Pre-authentication failed: invalid argument while getting initial credentials
> $ kinit -n
> $ klist
> Ticket cache: KEYRING:persistent:1004:1004
> Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS
>
> Valid starting       Expires              Service principal
> 04.11.2017 18:31:20  05.11.2017 18:31:20  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
>
> $ kinit -T KEYRING:persistent:1004:1004 otpuser
> Enter OTP Token Value:
> $ klist
> Ticket cache: KEYRING:persistent:1004:krb_ccache_ZKhNrfE
> Default principal: otpuser at EXAMPLE.ORG
>
> Valid starting       Expires              Service principal
> 04.11.2017 18:31:48  05.11.2017 18:31:37  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
>
> After some research I think that JDK doesn't implement FAST for now and
> the tickets/messages I found looked like it will be some time until that
> might be implemented (if ever).
>
> Would it be possible to implement that in keycloak?
> https://blog-ftweedal.rhcloud.com/2014/07/otp-authentication-in-freeipa/
> has some python code that is implementing that for FreeIPA.
> I've looked at
> https://github.com/keycloak/keycloak/blob/master/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java#L120
> but don't see how that might be implemented there...
>
> I've already tried to add two providers to my user federation, LDAP and sssd.
> sssd can authentication my otpuser with password+OTP fine. But I couldn't
> get authentication with Kerberos ticket to work when I have both providers
> active. Is that something that should work?
>
> Any ideas?
>
> Thanks,
> Jochen
> [1] password allows authentication to LDAP (no OTP). RADIUS or OTP
> authentications against Kerberos, which handles OTP and RADIUS
> and needs password+OTP.
>
>
>
>

More information about the keycloak-user mailing list