<html><body><div>Ok, so that won't solve my problem.</div><div><br></div><div>I guess there is no other way than a cookie or a parameter to bypass kerberos.</div><div><br>Am 23. Juli 2015 um 14:20 schrieb Stian Thorgersen &lt;stian@redhat.com&gt;:<br><br></div><div><blockquote type="cite"><div class="msg-quote"><div class="_stretch"><span class="body-text-content"><span class="body-text-content"><br><br>----- Original Message -----<br></span></span><blockquote class="quoted-plain-text" type="cite">From: "Michael Gerber" &lt;<a href="mailto:gerbermichi@me.com" data-mce-href="mailto:gerbermichi@me.com">gerbermichi@me.com</a>&gt;</blockquote><blockquote class="quoted-plain-text" type="cite">To: "Marek Posolda" &lt;<a href="mailto:mposolda@redhat.com" data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt;</blockquote><blockquote class="quoted-plain-text" type="cite">Cc: <a href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite">Sent: Thursday, 23 July, 2015 2:12:13 PM</blockquote><blockquote class="quoted-plain-text" type="cite">Subject: [keycloak-user] Re: LDAP with Kerberos, login with different user</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">TBH I have not checked out 1.4 yet. But I will have a look at it as soon as</blockquote><blockquote class="quoted-plain-text" type="cite">it's out.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">It would solve my problem, i f 1.4 offers a way to create impersonated users</blockquote><blockquote class="quoted-plain-text" type="cite">and login with username and password even if kerberos is enabled.</blockquote><span class="body-text-content"><span class="body-text-content"><br>1.4 offers a way for an admin to impersonate another user without specifying the users password - this doesn't provide a mechanism to login with username/password<br><br></span></span><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Am 23. Juli 2015 um 13:33 schrieb Marek Posolda &lt;<a href="mailto:mposolda@redhat.com" data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt;:</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Ah, Ok. So it's about admin users. Also note that in latest 1.4 version we</blockquote><blockquote class="quoted-plain-text" type="cite">will have new "impersonation" feature, which allows admin to temporarily</blockquote><blockquote class="quoted-plain-text" type="cite">login on behalf of any other user. Isn't this even better for your usecase?</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Marek</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">On 23.7.2015 08:41, Michael Gerber wrote:</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Hi, yes something like that would be great.</blockquote><blockquote class="quoted-plain-text" type="cite">Because our application admins are no tech guys, so it would be nice to offer</blockquote><blockquote class="quoted-plain-text" type="cite">an easy solution to them ;)</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Am 23. Juli 2015 um 08:35 schrieb Marek Posolda &lt;<a href="mailto:mposolda@redhat.com" data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt; :</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Maybe we can have special request parameter, which will be send from</blockquote><blockquote class="quoted-plain-text" type="cite">application to login screen. The parameter will contain list of</blockquote><blockquote class="quoted-plain-text" type="cite">authentication mechanisms, which you want to skip for this login. Something</blockquote><blockquote class="quoted-plain-text" type="cite">like "skipAuthType=cookie,kerberos" . The list of skipped alternative</blockquote><blockquote class="quoted-plain-text" type="cite">mechanisms will be saved in ClientSession, so authentication SPI can deal</blockquote><blockquote class="quoted-plain-text" type="cite">with it.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Not sure if it makes sense to add support into adapter, but maybe something</blockquote><blockquote class="quoted-plain-text" type="cite">basic (like we have for parameters "login_hint" or "kc_idp_hint" in</blockquote><blockquote class="quoted-plain-text" type="cite">keycloak.js) can be added as well?</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Marek</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">On 23.7.2015 08:26, Marek Posolda wrote:</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Do you want that for normal users or just for admin users? Just trying to</blockquote><blockquote class="quoted-plain-text" type="cite">understand the usecase. Because AFAIK the point of kerberos is, that you</blockquote><blockquote class="quoted-plain-text" type="cite">login into the desktop and then you're automatically logged into integrated</blockquote><blockquote class="quoted-plain-text" type="cite">web applications without need to deal with any login screens and</blockquote><blockquote class="quoted-plain-text" type="cite">username/password. When user has just one keycloak account corresponding to</blockquote><blockquote class="quoted-plain-text" type="cite">his kerberos ticket, then why he need to login as different user?</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">I can understand the usecase for admin, when you want to login as different</blockquote><blockquote class="quoted-plain-text" type="cite">user for testing purpose etc. For this, isn't it possible in windows to do</blockquote><blockquote class="quoted-plain-text" type="cite">something like "kdestroy" to be able to login without kerberos?</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Marek</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">On 23.7.2015 07:44, Michael Gerber wrote:</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Isn't it possible to create a cookie or add an url parameter after the</blockquote><blockquote class="quoted-plain-text" type="cite">logout, so the user is not logged in automatically?</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">It's crucial for us to be able to log in as a different user, otherwise we</blockquote><blockquote class="quoted-plain-text" type="cite">can not use kerberos at all :(</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Michael</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Am 22. Juli 2015 um 23:06 schrieb Marek Posolda &lt;<a href="mailto:mposolda@redhat.com" data-mce-href="mailto:mposolda@redhat.com">mposolda@redhat.com</a>&gt; :</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">I don't think it's doable. Kerberos is kind of desktop login and logout from</blockquote><blockquote class="quoted-plain-text" type="cite">the web application won't destroy the kerberos ticket - similarly like it</blockquote><blockquote class="quoted-plain-text" type="cite">can't logout your laptop/desktop session. So when you visit the secured</blockquote><blockquote class="quoted-plain-text" type="cite">application next time, you are automatically logged into Keycloak through</blockquote><blockquote class="quoted-plain-text" type="cite">SPNEGO due to the Kerberos ticket.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Hence you need to remove kerberos ticket manually (For example "kdestroy"</blockquote><blockquote class="quoted-plain-text" type="cite">works on Linux, but I guess you're using Windows + ActiveDirectory? ) and</blockquote><blockquote class="quoted-plain-text" type="cite">then you will be able to see keycloak login screen and login as different</blockquote><blockquote class="quoted-plain-text" type="cite">user.</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Marek</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">On 22.7.2015 15:38, Michael Gerber wrote:</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">Hi all,</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">I use LDAP with Kerberos and would like to logout and login again with a</blockquote><blockquote class="quoted-plain-text" type="cite">different user (no kerberos login, just keycloak username and password</blockquote><blockquote class="quoted-plain-text" type="cite">dialog).</blockquote><blockquote class="quoted-plain-text" type="cite">Is that possible?</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">cheers</blockquote><blockquote class="quoted-plain-text" type="cite">Michael</blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">_______________________________________________</blockquote><blockquote class="quoted-plain-text" type="cite">keycloak-user mailing list <a href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite"><br></blockquote><blockquote class="quoted-plain-text" type="cite">_______________________________________________</blockquote><blockquote class="quoted-plain-text" type="cite">keycloak-user mailing list</blockquote><blockquote class="quoted-plain-text" type="cite"><a href="mailto:keycloak-user@lists.jboss.org" data-mce-href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a></blockquote><blockquote class="quoted-plain-text" type="cite"><a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" data-mce-href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></blockquote></div></div></blockquote></div></body></html>