Hello,

 

I have a Keycloak cluster with two servers, in front of each Keaycloak is Apache running.

 

LB

/\

  Host A    Host B

 

Now, Host-A and Host-B are in different subnets, due to this design we are running jGroups via TCP.

Now everything is working fine, except for the Keycloak Admin console, once a user tries to log in, they get for a milisecond in to the Admin console, but then they get redirected to the login page immediately.

When I disable Host-A or Host-B on the Loadbalancer, (new sessions will land only on Hst-A or Host-B) the Login to Keycloak Admin Console will work normally.

During the immediate redirection there is only this one WARNING in the Server.log:

 

15:41:42,886 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default task-10) Failed executing GET /admin/serverinfo: org.jboss.resteasy.spi.UnauthorizedException: Bearer

         at org.keycloak.services.resources.admin.AdminRoot.authenticateRealmAdminRequest(AdminRoot.java:156)

         at org.keycloak.services.resources.admin.AdminRoot.getServerInfo(AdminRoot.java:209)

         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

         at java.lang.reflect.Method.invoke(Method.java:498)

         at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:81)

         at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:60)

         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:102)

         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)

         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)

         at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)

         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

         at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

         at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)

         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)

         at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:61)

         at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)

         at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)

         at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)

         at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

         at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

         at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

         at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)

         at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

         at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

         at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

         at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)

         at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)

         at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

         at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)

         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

         at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

         at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

         at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:282)

         at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:261)

         at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:80)

         at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:172)

         at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)

         at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:774)

         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

         at java.lang.Thread.run(Thread.java:745)

 

I attached my domain.xml

Have I missed something, or what did I wrong? 

 

With Kind regards Peter