[keycloak-user] Kerberos Credential Delagation

Marek Posolda mposolda at redhat.com
Thu Jan 17 16:08:52 EST 2019


|There are few tricky things here. You need to ensure that client ( 
/etc/krb5.conf ) is configured to request forwardable tickets (flag 
"forwardable" . See krb5 docs for more details).

Then also browser needs to be properly configured. For example FF needs 
to have property "network.negotiate-auth.delegation-uris" to contain the 
proper URI.


Once you have both those, I suggest to enable DEBUG logging for class 
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator and see that 
after authentication, you have the kerberos ticket with "credDelegState" 
set to true. If not, something is missing in the kerberos setup. If yes, 
you just need to configure mapper on KC side. For details about mapper, 
see docs and also see the example from keycloak-examples distribution, 
which uses kerberos credentials delegation: 
https://github.com/keycloak/keycloak/tree/master/examples/kerberos

Marek|
|
|
On 17/01/2019 18:43, Chris Smith wrote:
> No one has suggestions?
>
> -----Original Message-----
> From: Chris Smith
> Sent: Monday, January 14, 2019 11:42 AM
> To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
> Subject: Kerberos Credential Delagation
>
> I have a web app that is secured by KC and uses Active Directory to authenticate users.
> I have a requirement to get a Kerberos ticket (GSSCredential) to connect to an IBM i Server.
> SSO/EIM is successfully setup on the IBM i.
>
> My Web app is following the instructions at https://www.keycloak.org/docs/latest/server_admin/index.html#credential-delegation
>
> My servlet code
> 			KeycloakPrincipal<KeycloakSecurityContext> kcp = (KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
> 			AccessToken at = kcp.getKeycloakSecurityContext().getToken();
> 			String username = at.getPreferredUsername();
> 			System.out.println(at.getName());
> 			wtr.append("Windows User: ").append(username).append('\n');
> 			
> 			// Retrieve kerberos credential from accessToken and deserialize it
> 			Map<String, Object> otherClaims = at.getOtherClaims();
> 			String otherClaim = (String)otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
> 			GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(otherClaim);
>
> The otherClaims  map is always empty.
>
> KerberosSerializationUtils.deserializeCredential(otherClaim); throws this exception since otherClaim is null;
>
> org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null credential given as input. Did you enable kerberos credential delegation for your web browser and mapping of gss credential to access token?, Java version: 1.8.0_192, runtime version: 1.8.0_192-b12, vendor: Oracle Corporation, os: 6.2
> 	at org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)
> 	at testing.LogIn.doGet(LogIn.java:71)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
> 	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
> 	at org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67)
> 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:604)
> 	at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
> 	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
> 	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1152)
> 	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
> 	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
> 	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
> 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> 	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> 	at java.lang.Thread.run(Thread.java:748)
>
> Kerbos delegation is enabled in the browser and mapping of gss credential to access token
>
> What am I missing?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list