I have done the following steps in an attempt to configure Windows 2008 AD to work with KeyCloak:
- Created a windows user called "Keycloak"
- Run "setspn -s HTTP/virtual.local:8080 Keycloak"to assign the SPN to the user
- Run "ktpass -out keycloak.keytab -princ HTTP/virtual.local:8080@VIRTUAL.LOCAL -mapUser Keycloak -mapOp set -pass password -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL" to get a keytab file.
- Set "Kerberos Realm" to "VIRTUAL.LOCAL", "Server principal" to "HTTP/virtual.local:8080@VIRTUAL.LOCAL" and set the location of the keytab file in the "Keycloak LDAP User Federation Provider" screen.
- Saved the following in C:\Windows\krb5.ini:
[domain_realm]
.virtual.local = VIRTUAL.LOCAL
virtual.local = VIRTUAL.LOCAL
When I attempt to log in though, I get the following error:
02:21:58,009 INFO [stdout] (default task-4) principal is HTTP/virtual.local:8080@VIRTUAL.LOCAL
02:21:58,009 INFO [stdout] (default task-4) Will use keytab
02:21:58,010 INFO [stdout] (default task-4) Commit Succeeded
02:21:58,010 INFO [stdout] (default task-4)
02:21:58,011 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-4) SPNEGO login failed: jav
a.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_79]
at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_79]
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:46)
I can't seem to find any reliable information on getting Keycloak configured with AD, nor on the error "GSSHeader did not find the right tag" (which seems to indicate everything from invalid config in the windows user account options to browsers requesting NTLM logins).
Can anyone point me in the right direction with configuring windows and Keycloak for Kerberos based logins?
--
Matthew Casperson
Senior Front End Developer
Technology, Space & Distribution
Auto & General Holdings Pty Ltd
P: 07) 3377 8751 (Direct: 3377 8751)
F: 07) 3377 8833