6:37 a.m.
Hi Keycloak,
I setup the keycloak-demo-3.0.0 standalone server with the Kerberos
example(kerberos-portal.war) on an *Ubuntu machine(N1)*.
Next on another *Ubuntu machine(N2)* I setup the Kerberos client (did a kinit) and did the
required config changes in Firefox and is able to access the url :
http://N1:8080/kerberos-portal/ and the login page is bypassed as expected.
However, when using another *Windows 8.1 machine (N3)* where I have setup the MIT Kerberos
Client (did a kinit) + required config changes in Firefox, I am getting the Login page.
The browser though gets the challenge response header WWW-Authenticate: Negotiate and then
the again sends the Authorization: Negotiate YII but somehow I end up with the Login page
and see the below error on the Wildfly logs.
2017-06-07 10:46:04,332 INFO [stdout] (default task-42) Debug is true storeKey true
useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false
KeyTab is /home/impetus/nirmal/http.keytab_71 refreshKrb5Config is false principal is
HTTP/192.168.xx.xx(a)IMPETUS.CO.IN tryFirstPass is false useFirstPass is false storePass is
false clearPass is false
2017-06-07 10:46:04,334 INFO [stdout] (default task-42) principal is
HTTP/192.168.xx.xx(a)IMPETUS.CO.IN
2017-06-07 10:46:04,334 INFO [stdout] (default task-42) Will use keytab
2017-06-07 10:46:04,335 INFO [stdout] (default task-42) Commit Succeeded
2017-06-07 10:46:04,335 INFO [stdout] (default task-42)
*2017-06-07 10:46:04,337 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(default task-42) GSS Context accepted, but no context initiator recognized. Check your
kerberos configuration and reverse DNS lookup configuration*
2017-06-07 10:46:04,337 INFO [stdout] (default task-42) [Krb5LoginModule]:
Entering logout
2017-06-07 10:46:04,338 INFO [stdout] (default task-42) [Krb5LoginModule]:
logged out Subject
I troubles hooted for quite a long time but cannot understand where the problem is.
Can you please give me some pointers to look for?
Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged
or otherwise protected by law. The message is intended solely for the named addressee. If
received in error, please destroy and notify the sender. Any use of this email is
prohibited when received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the communication is
free of errors, virus, interception or interference.
3:12 p.m.
You can try to enable some additional logging as mentioned in the
"troubleshooting" section of the Kerberos docs.
One thing, which looks a bit strange to me, is the name of HTTP
principal with the IP address in it. Does it work with same principal
for your N1 and N2 machines? I would try to use the name instead of IP
address instead. But not 100% sure the issue is really this...
Marek
On 07/06/17 13:37, Nirmal Kumar wrote:
Hi Keycloak,
I setup the keycloak-demo-3.0.0 standalone server with the Kerberos
example(kerberos-portal.war) on an *Ubuntu machine(N1)*.
Next on another *Ubuntu machine(N2)* I setup the Kerberos client (did a kinit) and did
the required config changes in Firefox and is able to access the url :
http://N1:8080/kerberos-portal/ and the login page is bypassed as expected.
However, when using another *Windows 8.1 machine (N3)* where I have setup the MIT
Kerberos Client (did a kinit) + required config changes in Firefox, I am getting the Login
page.
The browser though gets the challenge response header WWW-Authenticate: Negotiate and
then the again sends the Authorization: Negotiate YII but somehow I end up with the Login
page and see the below error on the Wildfly logs.
2017-06-07 10:46:04,332 INFO [stdout] (default task-42) Debug is true storeKey true
useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false
KeyTab is /home/impetus/nirmal/http.keytab_71 refreshKrb5Config is false principal is
HTTP/192.168.xx.xx(a)IMPETUS.CO.IN tryFirstPass is false useFirstPass is false storePass is
false clearPass is false
2017-06-07 10:46:04,334 INFO [stdout] (default task-42) principal is
HTTP/192.168.xx.xx(a)IMPETUS.CO.IN
2017-06-07 10:46:04,334 INFO [stdout] (default task-42) Will use keytab
2017-06-07 10:46:04,335 INFO [stdout] (default task-42) Commit Succeeded
2017-06-07 10:46:04,335 INFO [stdout] (default task-42)
*2017-06-07 10:46:04,337 WARN
[org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-42) GSS Context
accepted, but no context initiator recognized. Check your kerberos configuration and
reverse DNS lookup configuration*
2017-06-07 10:46:04,337 INFO [stdout] (default task-42)
[Krb5LoginModule]: Entering logout
2017-06-07 10:46:04,338 INFO [stdout] (default task-42)
[Krb5LoginModule]: logged out Subject
I troubles hooted for quite a long time but cannot understand where the problem is.
Can you please give me some pointers to look for?
Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged
or otherwise protected by law. The message is intended solely for the named addressee. If
received in error, please destroy and notify the sender. Any use of this email is
prohibited when received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the communication is
free of errors, virus, interception or interference.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:53 a.m.
Hi Mark,
Thanks for the reply.
I now used the following MIT Kerberos Client on Windows 10 and things started working [?]
https://web.mit.edu/kerberos/dist/kfw/4.1/kfw-4.1-amd64.msi
One thing though I had to change on Firefox was network.auth.use-sspi to set as false to
get rid of the below exceptions:
: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the
right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at
org.keycloak.federation.kerberos.KerberosFederationProvider.authenticate(KerberosFederationProvider.java:194)
at
org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:282)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:90)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:191)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)
at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
at
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125)
at sun.reflect.GeneratedMethodAccessor327.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:172)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:135)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:125)
... 60 more
Earlier I had problem with Windows 8.1 and kfw-4.0.1-amd64.msi combination, not sure why,
may some environment issue at my end?
Thanks,
-Nirmal
________________________________
From: Marek Posolda <mposolda(a)redhat.com>
Sent: Thursday, June 8, 2017 1:42:50 AM
To: Nirmal Kumar; keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Exception in Kerberos Credential Delegation example
You can try to enable some additional logging as mentioned in the
"troubleshooting" section of the Kerberos docs.
One thing, which looks a bit strange to me, is the name of HTTP
principal with the IP address in it. Does it work with same principal
for your N1 and N2 machines? I would try to use the name instead of IP
address instead. But not 100% sure the issue is really this...
Marek
On 07/06/17 13:37, Nirmal Kumar wrote:
Hi Keycloak,
I setup the keycloak-demo-3.0.0 standalone server with the Kerberos
example(kerberos-portal.war) on an *Ubuntu machine(N1)*.
Next on another *Ubuntu machine(N2)* I setup the Kerberos client (did a kinit) and did
the required config changes in Firefox and is able to access the url :
http://N1:8080/kerberos-portal/ and the login page is bypassed as expected.
However, when using another *Windows 8.1 machine (N3)* where I have setup the MIT
Kerberos Client (did a kinit) + required config changes in Firefox, I am getting the Login
page.
The browser though gets the challenge response header WWW-Authenticate: Negotiate and
then the again sends the Authorization: Negotiate YII but somehow I end up with the Login
page and see the below error on the Wildfly logs.
2017-06-07 10:46:04,332 INFO [stdout] (default task-42) Debug is true storeKey true
useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false
KeyTab is /home/impetus/nirmal/http.keytab_71 refreshKrb5Config is false principal is
HTTP/192.168.xx.xx(a)IMPETUS.CO.IN tryFirstPass is false useFirstPass is false storePass is
false clearPass is false
2017-06-07 10:46:04,334 INFO [stdout] (default task-42) principal is
HTTP/192.168.xx.xx(a)IMPETUS.CO.IN
2017-06-07 10:46:04,334 INFO [stdout] (default task-42) Will use keytab
2017-06-07 10:46:04,335 INFO [stdout] (default task-42) Commit Succeeded
2017-06-07 10:46:04,335 INFO [stdout] (default task-42)
*2017-06-07 10:46:04,337 WARN
[org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-42) GSS Context
accepted, but no context initiator recognized. Check your kerberos configuration and
reverse DNS lookup configuration*
2017-06-07 10:46:04,337 INFO [stdout] (default task-42)
[Krb5LoginModule]: Entering logout
2017-06-07 10:46:04,338 INFO [stdout] (default task-42)
[Krb5LoginModule]: logged out Subject
I troubles hooted for quite a long time but cannot understand where the problem is.
Can you please give me some pointers to look for?
Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged
or otherwise protected by law. The message is intended solely for the named addressee. If
received in error, please destroy and notify the sender. Any use of this email is
prohibited when received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the communication is
free of errors, virus, interception or interference.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged
or otherwise protected by law. The message is intended solely for the named addressee. If
received in error, please destroy and notify the sender. Any use of this email is
prohibited when received in error. Impetus does not represent, warrant and/or guarantee,
that the integrity of this communication has been maintained nor that the communication is
free of errors, virus, interception or interference.
2771
days inactive
2773
days old
2 comments
2 participants
participants (2)
-
Marek Posolda -
Nirmal Kumar