On 21/06/16 10:21, Christopher Davies wrote:
I am looking to use KeyCloak backed by an AD server.
Can I check a few things that I understand are correct.

1) Using the  User Federation SPI I import the following from ActiveDirectory into the KeyCloak database : first name, surname, email, username and password.
By default you are importing first name, surname, email and username. You can import more attributes by creating additional LDAP mappers. But no password imported from MSAD to Keycloak DB
2) Password checks are made against the Keycloak database and not the ActiveDirectory system
No, password checks are made against ActiveDirectory. Just if you have editMode UNSYNCED and you change the password of the user (or he change it himself in account management), then the new password will be saved into Keycloak DB and will be used in favor of the old password from MSAD.
3) Enabling kerberos authentication will allow me to do paswordless login using my web browser from my windows box
Yes. See our Kerberos documentation for more details [1].

[1] https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/kerberos.html


Hope I am not to far from the mark


keycloak-user mailing list