<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am trying to set up SPNEGO authentication through Keycloak. I have installed Keycloak on a windows server, configured a client as shown below and set up the realm in jboss. But I consistently receive the error message GSSException:
Defective token detected (Mechanism level: GSSHeader did not find the right tag). I am using IE 11, and the url for the web app is https://gig-jboss-dev.ajga.com:8443/CBN<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><img width="563" height="974" id="Picture_x0020_1" src="cid:image001.png@01D20DA5.5995CC40"><o:p></o:p></p>
<p class="MsoNormal">JBoss web app configuration in standalone.xml ======================================================<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><subsystem xmlns="urn:jboss:domain:keycloak:1.1"><o:p></o:p></p>
<p class="MsoNormal"> <secure-deployment name="cbn-war-17.0.0.16-SNAPSHOT.war"><o:p></o:p></p>
<p class="MsoNormal"> <realm>master</realm><o:p></o:p></p>
<p class="MsoNormal"> <resource>CBN</resource><o:p></o:p></p>
<p class="MsoNormal"> <public-client>true</public-client><o:p></o:p></p>
<p class="MsoNormal"> <realm-public-key>(key from keycloak)</realm-public-key><o:p></o:p></p>
<p class="MsoNormal"> <auth-server-url>http://gig-msnet-dev.ajga.com:8080/auth</auth-server-url><o:p></o:p></p>
<p class="MsoNormal"> <ssl-required>EXTERNAL</ssl-required><o:p></o:p></p>
<p class="MsoNormal"> </secure-deployment><o:p></o:p></p>
<p class="MsoNormal"> </subsystem><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Log file from keycloak server ========================================================<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is c:\temp\keycloak.keytab refreshKrb5Config is false
principal is HTTP/gig-msnet-dev.ajga.com@AJGA.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false<o:p></o:p></p>
<p class="MsoNormal">2016-09-13 10:47:31,792 INFO [stdout] (default task-19) principal is HTTP/gig-msnet-dev.ajga.com@AJGA.COM<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Will use keytab<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">2016-09-13 10:47:31,807 INFO [stdout] (default task-19) Commit Succeeded
<o:p></o:p></p>
<p class="MsoNormal">2016-09-13 10:47:31,807 INFO [stdout] (default task-19) <o:p>
</o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">2016-09-13 10:47:31,807 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-19) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader
did not find the right tag)<o:p></o:p></p>
<p class="MsoNormal"> at java.security.AccessController.doPrivileged(Native Method)<o:p></o:p></p>
<p class="MsoNormal"> at javax.security.auth.Subject.doAs(Subject.java:422)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:70)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.federation.kerberos.KerberosFederationProvider.validCredentials(KerberosFederationProvider.java:209)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:549)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:139)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:341)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:160)<o:p></o:p></p>
<p class="MsoNormal"> at sun.reflect.GeneratedMethodAccessor360.invoke(Unknown Source)<o:p></o:p></p>
<p class="MsoNormal"> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<o:p></o:p></p>
<p class="MsoNormal"> at java.lang.reflect.Method.invoke(Method.java:483)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)<o:p></o:p></p>
<p class="MsoNormal"> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)<o:p></o:p></p>
<p class="MsoNormal"> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)<o:p></o:p></p>
<p class="MsoNormal"> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<o:p></o:p></p>
<p class="MsoNormal"> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)<o:p></o:p></p>
<p class="MsoNormal"> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792)<o:p></o:p></p>
<p class="MsoNormal"> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)<o:p></o:p></p>
<p class="MsoNormal"> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)<o:p></o:p></p>
<p class="MsoNormal"> at java.lang.Thread.run(Thread.java:745)<o:p></o:p></p>
<p class="MsoNormal">Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)<o:p></o:p></p>
<p class="MsoNormal"> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)<o:p></o:p></p>
<p class="MsoNormal"> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)<o:p></o:p></p>
<p class="MsoNormal"> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:174)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:137)<o:p></o:p></p>
<p class="MsoNormal"> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:127)<o:p></o:p></p>
<p class="MsoNormal"> ... 60 more<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2016-09-13 10:47:31,839 INFO [stdout] (default task-19) [Krb5LoginModule]: Entering logout<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">2016-09-13 10:47:31,839 INFO [stdout] (default task-19) [Krb5LoginModule]: logged out Subject<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
</div>
<HR>Confidentiality Notice: The information contained in this communication, including all attachments, is legally protected information, confidential or proprietary information, or a trade secret intended solely for the use of the intended recipient. The information may also be subject to legal privilege. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution, forwarding, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by reply Fax or e-mail stating the communication was "received in error" and delete or destroy all copies of this communication, including all attachments.<BR>
</body>
</html>