I have done the following steps in an attempt to configure Windows 2008 AD to work with KeyCloak:
  1. Created a windows user called "Keycloak"
  2. Run "setspn -s HTTP/virtual.local:8080 Keycloak"to assign the SPN to the user
  3. Run "ktpass -out keycloak.keytab -princ HTTP/virtual.local:8080@VIRTUAL.LOCAL -mapUser Keycloak -mapOp set -pass password -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL" to get a keytab file.
  4. Set "Kerberos Realm" to "VIRTUAL.LOCAL", "Server principal" to "HTTP/virtual.local:8080@VIRTUAL.LOCAL" and set the location of the keytab file in the "Keycloak LDAP User Federation Provider" screen.
  5. Saved the following in C:\Windows\krb5.ini:
    [domain_realm] 
        .virtual.local = VIRTUAL.LOCAL
        virtual.local = VIRTUAL.LOCAL
When I attempt to log in though, I get the following error:

02:21:58,009 INFO  [stdout] (default task-4) principal is HTTP/virtual.local:8080@VIRTUAL.LOCAL
02:21:58,009 INFO  [stdout] (default task-4) Will use keytab
02:21:58,010 INFO  [stdout] (default task-4) Commit Succeeded
02:21:58,010 INFO  [stdout] (default task-4)
02:21:58,011 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-4) SPNEGO login failed: jav
a.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_79]
        at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_79]
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:46)

I can't seem to find any reliable information on getting Keycloak configured with AD, nor on the error "GSSHeader did not find the right tag" (which seems to indicate everything from invalid config in the windows user account options to browsers requesting NTLM logins).

Can anyone point me in the right direction with configuring windows and Keycloak for Kerberos based logins?

--
Matthew Casperson
Senior Front End Developer
Technology, Space & Distribution
Auto & General Holdings Pty Ltd
P: 07) 3377 8751 (Direct: 3377 8751)
F: 07) 3377 8833



This email is sent by Auto & General Insurance Company Ltd, Auto & General Services Pty Ltd, Auto & General Holdings Pty Ltd or a related body corporate (Auto & General) and is for the intended addressee.
The views expressed in this email and attachments (email) reflect the views of the stated author but may not reflect views of Auto & General. This email is confidential and subject to copyright. 
It may be privileged. If you are not the intended addressee, confidentiality and privilege have not been waived and any use, interference with, or disclosure of this email is unauthorised. 
If you are not the intended addressee please immediately notify the sender and then delete the email. Auto & General does not warrant that this email is error or virus free.