[keycloak-user] Keycloak 3.4.3: Login With Kerberos and Active Directory with multiple Domains. seem not to work.

Hi, we try out to use Keycloak 3.4.3 as Federation Service With Kerberos and Active Directory with multiple Domains. (like ADFS) First we only test authentication with Keycloak, Kerberos Ticket and Active Directory with multiple domains. Problem: Keycloak only seem to read the sAMAccountName from Kerberos Ticket. Not the realm/domain. If the sAMAccountName is in top level (or highest prio) Federation provider authentication is successful. If not it fails. It is crucial that Keycloak knows in which AD Domain the user from Kerberos ticket is located. Unless Keycloak is not able to get the correct claims for the user. Test environment: Keycloak 3.4.3 standalone on Centos 7 with a Keycloak REALM EMP_AD. We configured 3 LDAP Federation Providers (with Kerberos Integration) for 3 AD Domains: DE.MIT.NET, FR.MIT.NET and BE.MIT.NET. Each Federation Provider has been configured with the following parameters: vendor:Active Directory, UserName LDAP attribute: sAMAccountName, Kerberos REALM: "Name of AD/Kerberos Domain", ... sAMAccountName ist unique in each ad domain, but not in forest. In forest only userPrincipalName is unique. We made the Kerberos Configuration as described in Keycloak-Doc. Also included a keytab file. Our productive company AD and KDCs are used. 2 Test user: john.smith(a)de.mit.net (upn in Domain DE.MIT.NET), john.smith(a)fr.mit.net (upn in Domain FR.MIT.NET). sAMAccountName for both user is john.smith . Testing: Since we just test how can handle Keycloak Kerberos, AD and multiple domains we just call the admin realm url for login tests: https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console First scenario: User john.smith is already authenticated in his Windows 7 Client (AD Domain DE.MIT.NET). In Keycloak only Federation Provider for AD Domain DE.MIT.NET is enabled. When calling https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console user john.smith gets a Kerberos Ticket for Keycloak. In the Ticket the user is identified with his sAMAccountName and its Kerberos REALM (AD Domain): klist: Client: john.smith @ DE.MIT.NET Server: HTTP/DUS212kcsrv.wert.net @ DAS.MIT.NET KerbTicket (Verschlüsselungstyp): RSADSI RC4-HMAC(NT) Ticketkennzeichen 0x40a10000 -> forwardable renewable pre_authent name_canonicalize ... Result: User john.smith from AD Domain DE.MIT.NET is automatically successfully authenticated in Keycloak. --> Successful Second scenario: Same as first scenario, but this time only Federation Provider for AD Domain FR.MIT.NET is enabled. (user john.smith is also available in domain FR.MIT.NET) Even though Kerberos ticket from user john smith in AD Domain DE.MIT.NET is used, in Keycloak john.smith from AD domain FR.MIT.NET is authenticated. --> NOT successful Third scenario: Same as first scenario, but this time all FPs are enabled in Keycloak. The FP for Domain BE.MADM.NET is on top of the list (or has the highest prio) In BE.MADM.NET user john.smith does not exist. Keycloak only lookup in Federation Provider from Domain BE.MADM.NET for john.smith. Since there is no one, access to keycloak failed : server.log: 2018-03-08 16:37:03,121 WARN [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-1) Kerberos/SPNEGO authentication succeeded with username [john.smith], but couldn't find or create user with federation provider [BE.MADM.NET] 2018-03-08 16:37:03,122 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=EMP_AD, clientId=security-admin-console, userId=null, ipAddress=10.12.45.34, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console/, code_id=27a1da71-b5f2-4416-a0dd-6005b409a60a, response_mode=fragment Best regards Ralph Geschäftsanschrift/Business address: METRO SYSTEMS GmbH, Metro-Straße 12, 40235 Düsseldorf, Germany Aufsichtsrat/Supervisory Board: Heiko Hutmacher (Vorsitzender/ Chairman) Geschäftsführung/Management Board: Dr. Dirk Toepfer (Vorsitzender/CEO), Wim van Herwijnen Sitz Düsseldorf, Amtsgericht Düsseldorf, HRB 18232/Registered Office Düsseldorf, Commercial Register of the Düsseldorf Local Court, HRB 18232 Betreffend Mails von *(a)metrosystems.net Die in dieser E-Mail enthaltenen Nachrichten und Anhänge sind ausschließlich für den bezeichneten Adressaten bestimmt. Sie können rechtlich geschützte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfänger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfältigung oder Weitergabe der Nachrichten und Anhänge untersagt. Falls Sie diese E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den Absender und vernichten Sie die E-Mail. Regarding mails from *(a)metrosystems.net This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail.