Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

Does anyone have feedback about getting a delegated GSSCredential? -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-bounces(a)lists.jboss.org&gt; On Behalf Of Chris Smith Sent: Wednesday, January 23, 2019 10:12 PM To: keycloak-user(a)lists.jboss.org Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain Here is a Diagram of what I'm trying to do From: Chris Smith Sent: Wednesday, January 23, 2019 8:08 AM To: &#39;keycloak-user(a)lists.jboss.org&#39; <keycloak-user(a)lists.jboss.org&gt; Subject: Get a GSSCredential when user browser is not in Active Directory domain I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation I can get a Delegated GSSCredential when the SPNEGO enabled browser runs on a workstation in the AD domain. When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet. I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i. My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping). Less than 1% of the users will be using browsers on workstations in the Active Directory domain. Can Keycloak put a GSSCredential for the logged in user in the Access Token when SPNEGO is not available from the browser?