Hi Marek If you haven’t looked at my previous server.log, then use this one instead, in this log we were getting an exception *GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)*** When we hit the url, maybe this will make things easier Please let me know if you need anything more Thanks a lot Raymond *From:*Zhou, Limin (Ray) *Sent:* Tuesday, June 28, 2016 10:00 AM *To:* 'Marek Posolda' *Subject:* RE: [keycloak-user] Keycloak single sign on with Keberos(AD) Hi Marek I have attached my keycloak server log to you, after adding the two properties, we can see an exception shows up when I hitting my url, after the exception, I think the default keycloak login page shows up, and rest of the log were generated by my manual login Hope this can give us some clue Thanks a lot Raymond *From:*Marek Posolda [mailto:mposolda@redhat.com] *Sent:* Tuesday, June 28, 2016 1:43 AM *To:* Zhou, Limin (Ray) *Subject:* Re: [keycloak-user] Keycloak single sign on with Keberos(AD) Thanks Raymond, is it possible to also enable the system properties |-Dsun.security.krb5.debug=true| and |-Dsun.security.spnego.debug=true and see if there are some more details in the log? You can add system properties either directly to standalone/configuration/standalone.xml file or by adding them to java opts in bin/standalone.conf| |Thanks,| |Marek| On 27/06/16 23:18, Zhou, Limin (Ray) wrote: Hello Marek Thanks for answering my post, following are the log piece after hitting the first page, hope this helps. Please let me know if you need anything more Thank you so much Raymond 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\FIRMS-domain\kcsso.keytab refreshKrb5Config is false principal is HTTP/t430-pbdc41e.monad.moneris.com(a)MONAD.MONERIS.COM <mailto:HTTP/t430-pbdc41e.monad.moneris.com@MONAD.MONERIS.COM> tryFirstPass is false useFirstPass is false storePass is false clearPass is false 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) principal is HTTP/t430-pbdc41e.monad.moneris.com(a)MONAD.MONERIS.COM <mailto:HTTP/t430-pbdc41e.monad.moneris.com@MONAD.MONERIS.COM> 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Will use keytab 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Commit Succeeded 2016-06-27 17:11:13,453 INFO [stdout] (default task-24) 2016-06-27 17:11:13,454 INFO [stdout] (default task-24) [Krb5LoginModule]: Entering logout 2016-06-27 17:11:13,454 INFO [stdout] (default task-24) [Krb5LoginModule]: logged out Subject *From:*Marek Posolda [mailto:mposolda@redhat.com] *Sent:* Monday, June 27, 2016 5:55 AM *To:* Zhou, Limin (Ray); keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> *Subject:* Re: [keycloak-user] Keycloak single sign on with Keberos(AD) It may help if you enable all the possible debug/trace logging and post the log here. This may give more info what is the issue. See docs how to enable logging : https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/top... Try to send the log from the point once you trigger the authentication request (or from the point when you hit your app URL) Thanks, Marek On 24/06/16 20:22, Zhou, Limin (Ray) wrote: Hello everyone I am new to Keycloak and new to here Our web application is running on Jboss EAP 7, We have configured KeyCloak standalone server 1.9.7 running on different port(same server box) to manage the user authentication and authorization, behind KeyCloak we have configured Keberos in User Federation to talk our company AD server, we are able to login by using our AD account, but not in single sign on way, each time when we hitting the our app URL, the Keycloak login page will show up. It looks like the TGT or ST hand shake was not successful, is there any document I can reference it to debug the issue? Any comments or suggestion would be very welcome thanks in advance raymond ------------------------------------------------------------------------ Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com <http://www.moneris.com> 1-866-319-7450 If you wish to unsubscribe from future updates from Moneris, please click here <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>;. Please see the Moneris Privacy Policy here <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>;. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. ------------------------------------------------------------------------ Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com <http://www.moneris.com> 1-866-319-7450 Si vous désirez enlever votre nom de la liste d’envoi de Moneris, veuillez cliquer ici <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...;. Veuillez consulter la Politique de confidentialité de Moneris ici <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...;. Ce courriel peut contenir des renseignements confidentiels ou privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune obligation connexe. La distribution, l’utilisation ou la reproduction du présent courriel ou des renseignements qu’il contient par une personne autre que son destinataire prévu sont interdites. Si vous avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement (par retour de courriel ou autrement). _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-user ------------------------------------------------------------------------ Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com <http://www.moneris.com> 1-866-319-7450 If you wish to unsubscribe from future updates from Moneris, please click here <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>;. Please see the Moneris Privacy Policy here <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>;. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. ------------------------------------------------------------------------ Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com <http://www.moneris.com> 1-866-319-7450 Si vous désirez enlever votre nom de la liste d’envoi de Moneris, veuillez cliquer ici <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...;. Veuillez consulter la Politique de confidentialité de Moneris ici <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...;. Ce courriel peut contenir des renseignements confidentiels ou privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune obligation connexe. La distribution, l’utilisation ou la reproduction du présent courriel ou des renseignements qu’il contient par une personne autre que son destinataire prévu sont interdites. Si vous avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement (par retour de courriel ou autrement). ------------------------------------------------------------------------ Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 If you wish to unsubscribe from future updates from Moneris, please click here <https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>;. Please see the Moneris Privacy Policy here <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>;. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. ------------------------------------------------------------------------ Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450 Si vous désirez enlever votre nom de la liste d’envoi de Moneris, veuillez cliquer ici <https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang...;. Veuillez consulter la Politique de confidentialité de Moneris ici <http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc...;. Ce courriel peut contenir des renseignements confidentiels ou privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune obligation connexe. La distribution, l’utilisation ou la reproduction du présent courriel ou des renseignements qu’il contient par une personne autre que son destinataire prévu sont interdites. Si vous avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement (par retour de courriel ou autrement).