Do you have "/etc/krb5.conf" file on the server where your Keycloak is
deployed? In this file you need to have configuration of kerberos realm
corresponding to the kerberos realm you used in the Keycloak LDAP
storage provider configuration. The host/port of kdc needs to be
accessible through network. The configuration of kdc in the
/etc/krb5.conf file can look like this for example:
KEYCLOAK.ORG={
kdc = localhost:6088
}
Marek
On 06/07/17 19:26, Malte Finsterwalder wrote:
I tweaked my config a bit and fixed an error there. It still
doesn't work
correctly, but now I get an ICMP Error, after the SPNEGO Failure and a try
to login with username and password;
17:23:54,184 INFO [stdout] (default task-21) [Krb5LoginModule]
authentication failed
17:23:54,184 INFO [stdout] (default task-21) ICMP Port Unreachable
17:23:54,185 WARN [org.keycloak.services] (default task-21)
KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException:
Kerberos unreachable
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable(KerberosUsernamePasswordAuthenticator.java:108)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:94)
at
org.keycloak.storage.ldap.LDAPStorageProvider.validPassword(LDAPStorageProvider.java:512)
at
org.keycloak.storage.ldap.LDAPStorageProvider.isValid(LDAPStorageProvider.java:602)
at
org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:140)
at
org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:121)
at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:175)
at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:151)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76)
at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365)
at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:347)
at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:401)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.security.auth.login.LoginException: ICMP Port Unreachable
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.authenticateSubject(KerberosUsernamePasswordAuthenticator.java:128)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:90)
... 61 more
Caused by: java.net.PortUnreachableException: ICMP Port Unreachable
at java.net.PlainDatagramSocketImpl.receive0(Native Method)
at
java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:143)
at java.net.DatagramSocket.receive(DatagramSocket.java:812)
at sun.security.krb5.internal.UDPClient.receive(NetClient.java:206)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:411)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KdcComm.send(KdcComm.java:348)
at sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253)
at sun.security.krb5.KdcComm.send(KdcComm.java:229)
at sun.security.krb5.KdcComm.send(KdcComm.java:200)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
... 75 more
On 6 July 2017 at 17:21, Malte Finsterwalder <inofi(a)gmx.net> wrote:
> Hi there,
>
> I tried to configure Keycloak to authenticate against Windows Active
> Directory using Kerberos credentials.
> But I keep getting an Exception.
>
> Setup is as follows:
>
> I created a docker image based on jboss/keycloak-ha-postgres:2.5.5.Final.
> In addition I installed freeipa-client and added a /etc/krb5.conf file as
> well as my keytab file.
>
> But when I configure Kerberos as required in the browser flow, I get the
> following Exception and the browser shows me a basic auth login dialog,
> that does not allow me to log in at all.
>
> Any ideas? How can gather more information?
>
> 13:26:25,796 INFO [stdout] (default task-64) Debug is true storeKey true
> useTicketCache false useKeyTab true doNotPrompt true ticketCache is null
> isInitiator false KeyTab is /keytabs/SVC_KEYCLOAK_CI20_HTTP_IDP-UI.keytab
> refreshKrb5Config is false principal is HTTP/SVC_KEYCLOAK_CI20.HH.HANS
> EMERKUR.DE(a)HH.HANSEMERKUR.DE tryFirstPass is false useFirstPass is false
> storePass is false clearPass is false
> 13:26:25,796 INFO [stdout] (default task-64) principal is
> HTTP/SVC_KEYCLOAK_CI20.HH.HANSEMERKUR.DE(a)HH.HANSEMERKUR.DE
> 13:26:25,796 INFO [stdout] (default task-64) Will use keytab
> 13:26:25,796 INFO [stdout] (default task-64) Commit Succeeded
> 13:26:25,796 INFO [stdout] (default task-64)
>
> 13:19:24,501 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
> (default task-47) SPNEGO login failed: java.security.PrivilegedActionException:
> GSSException: Defective token detected (Mechanism level: GSSHeader did not
> find the right tag)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.au
> thenticate(SPNEGOAuthenticator.java:68)
> at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(L
> DAPStorageProvider.java:542)
> at org.keycloak.credential.UserCredentialStoreManager.authentic
> ate(UserCredentialStoreManager.java:323)
> at org.keycloak.authentication.authenticators.browser.SpnegoAut
> henticator.authenticate(SpnegoAuthenticator.java:90)
> at org.keycloak.authentication.DefaultAuthenticationFlow.proces
> sFlow(DefaultAuthenticationFlow.java:184)
> at org.keycloak.authentication.AuthenticationProcessor.authenti
> cateOnly(AuthenticationProcessor.java:792)
> at org.keycloak.authentication.AuthenticationProcessor.authenti
> cate(AuthenticationProcessor.java:667)
> at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowse
> rAuthenticationRequest(AuthorizationEndpointBase.java:123)
> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.b
> uildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.
> build(AuthorizationEndpoint.java:125)
> at sun.reflect.GeneratedMethodAccessor615.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
> thodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
> ctorImpl.java:139)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
> (ResourceMethodInvoker.java:295)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
> eMethodInvoker.java:249)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> tObject(ResourceLocatorInvoker.java:138)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> ceLocatorInvoker.java:107)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> tObject(ResourceLocatorInvoker.java:133)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> ceLocatorInvoker.java:101)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> nousDispatcher.java:395)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> nousDispatcher.java:202)
> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
> spatcher.service(ServletContainerDispatcher.java:221)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> her.service(HttpServletDispatcher.java:56)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> her.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
> rvletHandler.java:85)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> oFilter(FilterHandler.java:129)
> at org.keycloak.services.filters.KeycloakSessionServletFilter.d
> oFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> oFilter(FilterHandler.java:131)
> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
> terHandler.java:84)
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
> dler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
> eRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow.security.SecurityContextAssoc
> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.servlet.handlers.security.SSLInformationAssociat
> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at io.undertow.servlet.handlers.security.ServletAuthenticationC
> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentiality
> ConstraintHandler.handleRequest(ServletConfident
> ialityConstraintHandler.java:64)
> at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.ha
> ndleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssociation
> Handler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
> ndler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
> stRequest(ServletInitialHandler.java:284)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
> equest(ServletInitialHandler.java:263)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
> 0(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
> equest(ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
> ge.java:793)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
> Executor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
> lExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: Defective token detected (Mechanism level:
> GSSHeader did not find the right tag)
> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
> Impl.java:306)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
> Impl.java:285)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.es
> tablishContext(SPNEGOAuthenticator.java:172)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac
> ceptSecContext.run(SPNEGOAuthenticator.java:135)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac
> ceptSecContext.run(SPNEGOAuthenticator.java:125)
> ... 60 more
>
> 13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
> Entering logout
> 13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
> logged out Subject
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user