Fwd: Kerberos Authentication throws Exception
by Malte Finsterwalder
Hi there,
I tried to configure Keycloak to authenticate against Windows Active
Directory using Kerberos credentials.
But I keep getting an Exception.
Setup is as follows:
I created a docker image based on jboss/keycloak-ha-postgres:2.5.5.Final.
In addition I installed freeipa-client and added a /etc/krb5.conf file as
well as my keytab file.
But when I configure Kerberos as required in the browser flow, I get the
following Exception and the browser shows me a basic auth login dialog,
that does not allow me to log in at all.
Any ideas? How can gather more information?
13:26:25,796 INFO [stdout] (default task-64) Debug is true storeKey true
useTicketCache false useKeyTab true doNotPrompt true ticketCache is null
isInitiator false KeyTab is /keytabs/SVC_KEYCLOAK_CI20_HTTP_IDP-UI.keytab
refreshKrb5Config is false principal is HTTP/SVC_KEYCLOAK_CI20.HH.
HANSEMERKUR.DE(a)HH.HANSEMERKUR.DE tryFirstPass is false useFirstPass is
false storePass is false clearPass is false
13:26:25,796 INFO [stdout] (default task-64) principal is
HTTP/SVC_KEYCLOAK_CI20.HH.HANSEMERKUR.DE(a)HH.HANSEMERKUR.DE
13:26:25,796 INFO [stdout] (default task-64) Will use keytab
13:26:25,796 INFO [stdout] (default task-64) Commit Succeeded
13:26:25,796 INFO [stdout] (default task-64)
13:19:24,501 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(default task-47) SPNEGO login failed: java.security.PrivilegedActionException:
GSSException: Defective token detected (Mechanism level: GSSHeader did not
find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(
SPNEGOAuthenticator.java:68)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(
LDAPStorageProvider.java:542)
at org.keycloak.credential.UserCredentialStoreManager.authenticate(
UserCredentialStoreManager.java:323)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.
authenticate(SpnegoAuthenticator.java:90)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(
DefaultAuthenticationFlow.java:184)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(
AuthenticationProcessor.java:792)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(
AuthenticationProcessor.java:667)
at org.keycloak.protocol.AuthorizationEndpointBase.
handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.
buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(
AuthorizationEndpoint.java:125)
at sun.reflect.GeneratedMethodAccessor615.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(
ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(
FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHand
ler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
er.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
er.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler
.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandle
r.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(
NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssocia
tionHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$
000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level:
GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(
GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(
GSSContextImpl.java:285)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.
establishContext(SPNEGOAuthenticator.java:172)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$
AcceptSecContext.run(SPNEGOAuthenticator.java:135)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$
AcceptSecContext.run(SPNEGOAuthenticator.java:125)
... 60 more
13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
Entering logout
13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
logged out Subject
5 years, 8 months
Consent Required how it works exatly
by Nikolaj Majorov
Hi all,
I see that for sample app-jee-html5 application in the the client
configuration the property
"Consent Required" is configured. How does it implemented ? doest it
mean that application get cookie first after user logged-in with
user-name password or other js Iframe ? and only after login with
user-name& password the client can ask for token ?
5 years, 8 months
how to Check if User is logged in or not?
by Vjraj
we are implementing SSO among multiple Angular 2 Applications running on
different domains using keycloak (Note: use are not using any keycloak
adapters)
the problem we face is the cookies are domain specific and we cant access
the cokie of one app in another
the way this problem can be solved in our point of view is to check if any
user in logged in through this browser and if logged in we will direct to
login page and it will return back with token and if not login it must the
normal page designed for not logged in user
1.how can we be able to check if any user is available ?
2.is there any alternative way to achieve this?
thanks in adavance.
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/how-to-Check-if-User-is-logged-i...
Sent from the keycloak-user mailing list archive at Nabble.com.
5 years, 8 months
redhat sso get baseurl in custom theme for email registration
by Antonia Nicolaou
Hello all,
Your help would be greatly appreciated.
I am using single sign on service from redhat v7.1 and I am developing a
custom template (in a custom theme) for registration email. In the email,
Unfortunately, I didn’t find the proper way to get the client baseUrl or
the url.registrationUrl .
Could you please help me?
Thank you in advanced.
Sincerely,
Antonia Nicolaou
5 years, 8 months
Re: [keycloak-user] Domain Clustered Mode
by Marc Tempelmeier
Hi again,
We fixed the bearer error, it was different time settings in the cluster...
But the liquibase errors remains, it seems we have exactly this problem:
https://stackoverflow.com/questions/26235744/liquibase-case-insensitivity.... As far as I see it all table names are upper case in the liquibase change files.
Any idea?
-----Ursprüngliche Nachricht-----
Von: Marc Tempelmeier
Gesendet: Monday, July 10, 2017 9:28 AM
An: keycloak-user(a)lists.jboss.org
Betreff: Domain Clustered Mode
Hi,
Is there anyone here who has this working with 1 Master and 2-3 Slaves on Version 3.2.0?
I frequently get 2 errors:
Error 1 (results in unregistering the slave):
Position: 22
[Server:slave1] Caused by: liquibase.exception.DatabaseException: Error executing SQL select count(*) from public.databasechangeloglock: ERROR: relation \"public.databasechangeloglock\" does not exist
[Server:slave1] Position: 22
[Server:slave1] Caused by: org.postgresql.util.PSQLException: ERROR: relation \"public.databasechangeloglock\" does not exist
Error 2 (results in immediate logout, sometimes after 1 sec or later):
10:08:22,066 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-18) RESTEASY002005: Failed executing GET /admin/realms: org.jboss.resteasy.spi.UnauthorizedException: Bearer
If anyone has a working config, it would be really great to share :)
Best regards
Marc Tempelmeier
5 years, 8 months
change password page in my application
by Ori Doolman
Hi,
I want my application's users to be able to change their password.
My app is a web application using React/Node.JS.
I have 2 options to implement this having the end user interacts directly with Keycloak (so password will not go through my application):
1) Customize the account theme (ftl) and use the /account endpoint. In this form the user will enter his old and new password interactively.
2) Use the Keycloak admin REST API from my application server (Node.JS) and make Keycloak send the user a mail with a link to reset the password:
PUT /admin/realms/{realm}/users/{id}/execute-actions-email
Once the user clicks the link, he will need to set the new password.
Which of the above is a preferred option ? Or is there any other option ?
Thanks,
Ori.
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
5 years, 8 months
keycloak APIs to retrieve logged-in user
by shimin q
Hi,
I am new to keycloak (sorry if the answer to my question seems obvious!). We plan to use keycloak to secure a bunch of web apps, some written in Java, some in JavaScript (with React).
After the user is logged in by keycloak, each of those web apps needs to retrieve the user that is logged in and the realm/client roles that the user has.
- For Java apps, we tried the keycloak Java API (request -> KeycloakSecurityContext -> getIdToken -> getPreferredUsername/getOtherClaims). They seem to work fine
- For JavaScript apps, we are hitting roadblocks. What APIs would you recommend to use specifically? Do you have any example code for JavaScript apps? Tried the following code, but could not get Keycloak to init successfully (Note this is in web app code after the user is already authenticated by keycloak, the app is only trying to retrieve who logged in with what roles):
var kc = Keycloak({ url: 'https://135.112.123.194:8666/auth', realm: 'rtna', clientId: 'main'}); //var kc = Keycloak('./keycloak.json'); //this does not work as it can't find the keycloak.json file under WEB-INF//kc.loadUserInfo();var userid = kc.subject;console.log("user id " + userid);
kc.init({ onLoad: 'login-required' }).success(function () { console.log("==================================="); console.log("kc.idToken.preferred_username: " + kc.idToken.preferred_username); alert(JSON.stringify(kc.tokenParsed)); var authenticatedUser = kc.idTokenParsed.name; console.log(authenticatedUser); }).error(function () { window.location.reload(); });
Please advise. Thank you!!
5 years, 8 months
Domain Clustered Mode
by Marc Tempelmeier
Hi,
Is there anyone here who has this working with 1 Master and 2-3 Slaves on Version 3.2.0?
I frequently get 2 errors:
Error 1 (results in unregistering the slave):
Position: 22
[Server:slave1] Caused by: liquibase.exception.DatabaseException: Error executing SQL select count(*) from public.databasechangeloglock: ERROR: relation \"public.databasechangeloglock\" does not exist
[Server:slave1] Position: 22
[Server:slave1] Caused by: org.postgresql.util.PSQLException: ERROR: relation \"public.databasechangeloglock\" does not exist
Error 2 (results in immediate logout, sometimes after 1 sec or later):
10:08:22,066 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-18) RESTEASY002005: Failed executing GET /admin/realms: org.jboss.resteasy.spi.UnauthorizedException: Bearer
If anyone has a working config, it would be really great to share :)
Best regards
Marc Tempelmeier
5 years, 8 months
Jboss-modules.jar missing
by Dennis H
Hi,
Today I downloaded Keycloak 3.2.0.Final (zip). When running the
standalone.bat, the jboss-modules.jar is missing.
Do you know about this?
I also have another question. What is a good way to handle authorization,
so a user can only edit, for example, his own profile. How to retrieve the
incomming token, get the user_id and verify it in, in this case, the
ProfileComponent? I'm currently using Java Spring Boot as backend (bearer
only).
Thanks,
Dennis
5 years, 8 months
jmpi
by Automatic Email Delivery Software
This message was undeliverable due to the following reason:
Your message was not delivered because the destination server was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within 1 days:
Host 153.195.58.206 is not responding.
The following recipients did not receive this message:
<keycloak-user(a)lists.jboss.org>
Please reply to postmaster(a)lists.jboss.org
if you feel this message to be in error.
5 years, 8 months
