[keycloak-user] Cannot create users when a Kerberos Federation is configured but the KDC is unreachable

Jim Groffen jim.groffen at gmail.com
Wed Mar 7 01:51:41 EST 2018 

Hello folks,

I am using KeyCloak (3.4.3) with a Kerberos based User Federation - using a
keytab only with no communication available between the KDC and the
KeyCloak server. Note that no connection between the KDC and KeyCloak is
possible in my scenario so I need to rely on the keytab alone for
authentication.

This works well - new users from the network that can perform Kerberos auth
just need to add any missing information on first login. I have noticed the
following problem though:

I also need to add users manually to KeyCloak. I find that I have to
disable the Kerberos based User Federation to create a non-Kerberos based
user, or I get an error.

Digging in to the logs I find that KeyCloak is attempting to query the KDC
directly, which fails with:


    DEBUG
[org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator]
(default task-10) Message from kerberos: Cannot locate KDC
    ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default
task-10) Uncaught server error: org.keycloak.models.ModelException:
Kerberos unreachable
            at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable(KerberosUsernamePasswordAuthenticator.java:108)
            ...
    Caused by: javax.security.auth.login.LoginException: Cannot locate KDC
            at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
            ...
    Caused by: KrbException: Cannot locate KDC
            at sun.security.krb5.Config.getKDCList(Config.java:1084)
            ...
    Caused by: KrbException: Generic error (description in e-text) (60) -
Unable to locate KDC for realm XXXXXXX


I have verified that I can successfully create a user in KeyCloak if the
KDC is accessible. In this case KeyCloak logs no error, simply reporting
that the user was not found in the KDC.

Given the above, I have a few questions I'm hoping you can help me with:

1: Am I trying to do something that is unsupported by KeyCloak?
2: If this is currently unsupported, would you like me to raise a feature
request?
3: If it should be supported, is it possible I mis-configured something, or
should I raise a bug report?

KeyCloak is behaving how I want for the most part. With some advice /
direction I could work on a pull request targeting this.

Thanks in advance,

Jim Groffen.

More information about the keycloak-user mailing list