Hello,

 

I am trying to set up SPNEGO authentication through Keycloak.  I have installed Keycloak on a windows server, configured a client as shown below and set up the realm in jboss.  But I consistently receive the error message GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag).  I am using IE 11, and the url for the web app is https://gig-jboss-dev.ajga.com:8443/CBN

 

JBoss web app configuration in standalone.xml ======================================================

 

<subsystem xmlns="urn:jboss:domain:keycloak:1.1">

            <secure-deployment name="cbn-war-17.0.0.16-SNAPSHOT.war">

                <realm>master</realm>

                <resource>CBN</resource>

                <public-client>true</public-client>

                <realm-public-key>(key from keycloak)</realm-public-key>

                <auth-server-url>http://gig-msnet-dev.ajga.com:8080/auth</auth-server-url>

                <ssl-required>EXTERNAL</ssl-required>

            </secure-deployment>

        </subsystem>

 

Log file from keycloak server ========================================================

 

2016-09-13 10:47:31,792 INFO  [stdout] (default task-19) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is c:\temp\keycloak.keytab refreshKrb5Config is false principal is HTTP/gig-msnet-dev.ajga.com@AJGA.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

2016-09-13 10:47:31,792 INFO  [stdout] (default task-19) principal is HTTP/gig-msnet-dev.ajga.com@AJGA.COM

2016-09-13 10:47:31,792 INFO  [stdout] (default task-19) Will use keytab

2016-09-13 10:47:31,807 INFO  [stdout] (default task-19) Commit Succeeded

2016-09-13 10:47:31,807 INFO  [stdout] (default task-19)

2016-09-13 10:47:31,807 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-19) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

                at java.security.AccessController.doPrivileged(Native Method)

                at javax.security.auth.Subject.doAs(Subject.java:422)

                at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:70)

                at org.keycloak.federation.kerberos.KerberosFederationProvider.validCredentials(KerberosFederationProvider.java:209)

                at org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:549)

                at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)

                at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)

                at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)

                at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)

                at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:139)

                at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:341)

                at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:160)

                at sun.reflect.GeneratedMethodAccessor360.invoke(Unknown Source)

                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

                at java.lang.reflect.Method.invoke(Method.java:483)

                at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)

                at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)

                at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)

                at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)

                at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)

                at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)

                at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)

                at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)

                at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)

                at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)

                at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

                at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

                at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

                at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)

                at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)

                at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)

                at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)

                at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)

                at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)

                at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

                at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

                at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)

                at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

                at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

                at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

                at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

                at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

                at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

                at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)

                at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)

                at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

                at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)

                at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)

                at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792)

                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

                at java.lang.Thread.run(Thread.java:745)

Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

                at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)

                at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)

                at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)

                at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:174)

                at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:137)

                at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:127)

                ... 60 more

 

2016-09-13 10:47:31,839 INFO  [stdout] (default task-19)                               [Krb5LoginModule]: Entering logout

2016-09-13 10:47:31,839 INFO  [stdout] (default task-19)                               [Krb5LoginModule]: logged out Subject