I afraid that it won't work ATM. You can create JIRA for this though. However I am not sure if it's priority for us to do that.

Alternatively you can try to contribute this yourself. Maybe the only required thing will be to add NTLM OID ( 1.3.6.1.4.1.311.2.2.10 ) to the list here https://github.com/keycloak/keycloak/blob/master/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/SPNEGOAuthenticator.java#L169 . However I afraid it likely won't be that easy...

Marek

On 28/06/16 17:47, Guy Davis wrote:
Good day,

For sake of argument, assume that someone has set up a MS Active Directory domain with Kerberos disabled, but NTLM still enabled.  In that situation, would a user browsing to a Keycloak-protected application, with LDAP+SPNEGO enabled (against that MS AD system) still allow for Integrated Windows Authentication (auto-login without prompt) to web application?

Thanks much,
Guy

<re-sending today as same message yesterday didn't make it through to the list>


_______________________________________________
keycloak-user mailing list
keycloak-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user