11:41 a.m.
I have a web app that is secured by KC and uses Active Directory to authenticate users.
I have a requirement to get a Kerberos ticket (GSSCredential) to connect to an IBM i
Server.
SSO/EIM is successfully setup on the IBM i.
My Web app is following the instructions at
https://www.keycloak.org/docs/latest/server_admin/index.html#credential-d...
My servlet code
KeycloakPrincipal<KeycloakSecurityContext> kcp =
(KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
AccessToken at = kcp.getKeycloakSecurityContext().getToken();
String username = at.getPreferredUsername();
System.out.println(at.getName());
wtr.append("Windows User: ").append(username).append('\n');
// Retrieve kerberos credential from accessToken and deserialize it
Map<String, Object> otherClaims = at.getOtherClaims();
String otherClaim =
(String)otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
GSSCredential gssCredential =
KerberosSerializationUtils.deserializeCredential(otherClaim);
The otherClaims map is always empty.
KerberosSerializationUtils.deserializeCredential(otherClaim); throws this exception since
otherClaim is null;
org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null
credential given as input. Did you enable kerberos credential delegation for your web
browser and mapping of gss credential to access token?, Java version: 1.8.0_192, runtime
version: 1.8.0_192-b12, vendor: Oracle Corporation, os: 6.2
at
org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)
at testing.LogIn.doGet(LogIn.java:71)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at
org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:604)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1152)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Kerbos delegation is enabled in the browser and mapping of gss credential to access token
What am I missing?
11:43 a.m.
No one has suggestions?
-----Original Message-----
From: Chris Smith
Sent: Monday, January 14, 2019 11:42 AM
To: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org>
Subject: Kerberos Credential Delagation
I have a web app that is secured by KC and uses Active Directory to authenticate users.
I have a requirement to get a Kerberos ticket (GSSCredential) to connect to an IBM i
Server.
SSO/EIM is successfully setup on the IBM i.
My Web app is following the instructions at
https://www.keycloak.org/docs/latest/server_admin/index.html#credential-d...
My servlet code
KeycloakPrincipal<KeycloakSecurityContext> kcp =
(KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
AccessToken at = kcp.getKeycloakSecurityContext().getToken();
String username = at.getPreferredUsername();
System.out.println(at.getName());
wtr.append("Windows User: ").append(username).append('\n');
// Retrieve kerberos credential from accessToken and deserialize it
Map<String, Object> otherClaims = at.getOtherClaims();
String otherClaim =
(String)otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
GSSCredential gssCredential =
KerberosSerializationUtils.deserializeCredential(otherClaim);
The otherClaims map is always empty.
KerberosSerializationUtils.deserializeCredential(otherClaim); throws this exception since
otherClaim is null;
org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null
credential given as input. Did you enable kerberos credential delegation for your web
browser and mapping of gss credential to access token?, Java version: 1.8.0_192, runtime
version: 1.8.0_192-b12, vendor: Oracle Corporation, os: 6.2
at
org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)
at testing.LogIn.doGet(LogIn.java:71)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at
org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:604)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1152)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Kerbos delegation is enabled in the browser and mapping of gss credential to access token
What am I missing?
3:08 p.m.
|There are few tricky things here. You need to ensure that client (
/etc/krb5.conf ) is configured to request forwardable tickets (flag
"forwardable" . See krb5 docs for more details).
Then also browser needs to be properly configured. For example FF needs
to have property "network.negotiate-auth.delegation-uris" to contain the
proper URI.
Once you have both those, I suggest to enable DEBUG logging for class
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator and see that
after authentication, you have the kerberos ticket with "credDelegState"
set to true. If not, something is missing in the kerberos setup. If yes,
you just need to configure mapper on KC side. For details about mapper,
see docs and also see the example from keycloak-examples distribution,
which uses kerberos credentials delegation:
https://github.com/keycloak/keycloak/tree/master/examples/kerberos
Marek|
|
|
On 17/01/2019 18:43, Chris Smith wrote:
No one has suggestions?
-----Original Message-----
From: Chris Smith
Sent: Monday, January 14, 2019 11:42 AM
To: 'keycloak-user(a)lists.jboss.org' <keycloak-user(a)lists.jboss.org>
Subject: Kerberos Credential Delagation
I have a web app that is secured by KC and uses Active Directory to authenticate users.
I have a requirement to get a Kerberos ticket (GSSCredential) to connect to an IBM i
Server.
SSO/EIM is successfully setup on the IBM i.
My Web app is following the instructions at
https://www.keycloak.org/docs/latest/server_admin/index.html#credential-d...
My servlet code
KeycloakPrincipal<KeycloakSecurityContext> kcp =
(KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
AccessToken at = kcp.getKeycloakSecurityContext().getToken();
String username = at.getPreferredUsername();
System.out.println(at.getName());
wtr.append("Windows User: ").append(username).append('\n');
// Retrieve kerberos credential from accessToken and deserialize it
Map<String, Object> otherClaims = at.getOtherClaims();
String otherClaim =
(String)otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
GSSCredential gssCredential =
KerberosSerializationUtils.deserializeCredential(otherClaim);
The otherClaims map is always empty.
KerberosSerializationUtils.deserializeCredential(otherClaim); throws this exception since
otherClaim is null;
org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null
credential given as input. Did you enable kerberos credential delegation for your web
browser and mapping of gss credential to access token?, Java version: 1.8.0_192, runtime
version: 1.8.0_192-b12, vendor: Oracle Corporation, os: 6.2
at
org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)
at testing.LogIn.doGet(LogIn.java:71)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at
org.keycloak.adapters.tomcat.AbstractAuthenticatedActionsValve.invoke(AbstractAuthenticatedActionsValve.java:67)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:604)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:181)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1152)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Kerbos delegation is enabled in the browser and mapping of gss credential to access
token
What am I missing?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2184
days inactive
2187
days old
2 comments
2 participants
participants (2)
-
Chris Smith -
Marek Posolda