<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 21/06/16 10:21, Christopher Davies
wrote:<br>
</div>
<blockquote
cite="mid:CAN9XQgza2Pzaeev8BBruHjOyrq0034Z5AJe4FVH1R=8j+kDN=Q@mail.gmail.com"
type="cite">
<div dir="ltr">I am looking to use KeyCloak backed by an AD
server.
<div>Can I check a few things that I understand are correct.</div>
<div><br>
</div>
<div>1) Using the User Federation SPI I import the following
from ActiveDirectory into the KeyCloak database : first name,
surname, email, username and password.</div>
</div>
</blockquote>
By default you are importing first name, surname, email and
username. You can import more attributes by creating additional LDAP
mappers. But no password imported from MSAD to Keycloak DB<br>
<blockquote
cite="mid:CAN9XQgza2Pzaeev8BBruHjOyrq0034Z5AJe4FVH1R=8j+kDN=Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>2) Password checks are made against the Keycloak database
and not the <span style="line-height:1.5">ActiveDirectory
system</span></div>
</div>
</blockquote>
No, password checks are made against ActiveDirectory. Just if you
have editMode UNSYNCED and you change the password of the user (or
he change it himself in account management), then the new password
will be saved into Keycloak DB and will be used in favor of the old
password from MSAD.<br>
<blockquote
cite="mid:CAN9XQgza2Pzaeev8BBruHjOyrq0034Z5AJe4FVH1R=8j+kDN=Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>3) Enabling kerberos authentication will allow me to do
paswordless login using my web browser from my windows box</div>
</div>
</blockquote>
Yes. See our Kerberos documentation for more details [1].<br>
<br>
[1]
<a class="moz-txt-link-freetext" href="https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/kerberos.html">https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/kerberos.html</a><br>
<br>
Marek<br>
<blockquote
cite="mid:CAN9XQgza2Pzaeev8BBruHjOyrq0034Z5AJe4FVH1R=8j+kDN=Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Hope I am not to far from the mark</div>
<div><br>
</div>
<div>Chris</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-user">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
</blockquote>
<br>
</body>
</html>