Hi all,
Any tips setting up Kerberos SPNEGO with Keycloak if Keycloak is reverse proxied? I
have everything working if I access the Keycloak host directly, but if I access via a
reverse proxy the SPENGO doesn't work. I assume this has to do with Kerberos SPNEGO
strict hostname and principal naming. I have even tried setting the password/key (and
kvno) the same for both HTTP/proxy.example.com and HTTP/keycloak.example.com principals.
I've also updated the /etc/krb5.conf libdefaults ignore_acceptor_hostname = true, but
that seems to be ignored by Keycloak. In fact, Keycloak appears to require a hard-coded
principal name, which isn't going to match the requested service principal name when
requests go through the reverse proxy. Has anyone dealt with this before?
Oddly, this isn't a problem for Windows Active Directory principals / SPNs (Micrsoft
implementation) - if setspn.exe configures same principal to both hostnames. Just MIT
Kerberos KDC and principals seem to have a problem with reverse proxies (Red Hat Identity
Manager / FreeIPA wrapper around MIT Kerberos).
Ryan
Show replies by date