From: "Matthew Casperson"
<matthew.casperson(a)autogeneral.com.au>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 14 July, 2015 4:30:57 AM
Subject: [keycloak-dev] How to login via Kerberos and Windows AD
I have done the following steps in an attempt to configure Windows 2008 AD to
work with KeyCloak:
1. Created a windows user called "Keycloak"
2. Run "setspn -s HTTP/virtual.local:8080 Keycloak"to assign the SPN to
the user
3. Run "ktpass -out keycloak.keytab -princ
HTTP/virtual.local:8080@VIRTUAL.LOCAL -mapUser Keycloak -mapOp set -pass
password -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL" to get a keytab
file.
4. Set "Kerberos Realm" to "VIRTUAL.LOCAL", "Server
principal" to
"HTTP/virtual.local:8080@VIRTUAL.LOCAL" and set the location of the
keytab file in the "Keycloak LDAP User Federation Provider" screen.
5. Saved the following in C:\Windows\krb5.ini: [domain_realm]
.virtual.local = VIRTUAL.LOCAL virtual.local = VIRTUAL.LOCAL
When I attempt to log in though, I get the following error:
02:21:58,009 INFO [stdout] (default task-4) principal is
HTTP/virtual.local:8080@VIRTUAL.LOCAL
02:21:58,009 INFO [stdout] (default task-4) Will use keytab
02:21:58,010 INFO [stdout] (default task-4) Commit Succeeded
02:21:58,010 INFO [stdout] (default task-4)
02:21:58,011 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(default task-4) SPNEGO login failed: jav
a.security.PrivilegedActionException: GSSException: Defective token detected
(Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
[rt.jar:1.7.0_79]
at javax.security.auth.Subject.doAs(Subject.java:415) [rt.jar:1.7.0_79]
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:46)
I can't seem to find any reliable information on getting Keycloak configured
with AD, nor on the error "GSSHeader did not find the right tag" (which
seems to indicate everything from invalid config in the windows user account
options to browsers requesting NTLM logins).
Can anyone point me in the right direction with configuring windows and
Keycloak for Kerberos based logins?
--
Matthew Casperson
Senior Front End Developer
Technology, Space & Distribution
Auto & General Holdings Pty Ltd
P: 07) 3377 8751 (Direct: 3377 8751 )
F: 07) 3377 8833
This email is sent by Auto & General Insurance Company Ltd, Auto & General
Services Pty Ltd, Auto & General Holdings Pty Ltd or a related body
corporate (Auto & General) and is for the intended addressee.
The views expressed in this email and attachments (email) reflect the views
of the stated author but may not reflect views of Auto & General. This email
is confidential and subject to copyright.
It may be privileged. If you are not the intended addressee, confidentiality
and privilege have not been waived and any use, interference with, or
disclosure of this email is unauthorised.
If you are not the intended addressee please immediately notify the sender
and then delete the email. Auto & General does not warrant that this email
is error or virus free.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev