10:21 a.m.
Hi there,
I tried to configure Keycloak to authenticate against Windows Active
Directory using Kerberos credentials.
But I keep getting an Exception.
Setup is as follows:
I created a docker image based on jboss/keycloak-ha-postgres:2.5.5.Final.
In addition I installed freeipa-client and added a /etc/krb5.conf file as
well as my keytab file.
But when I configure Kerberos as required in the browser flow, I get the
following Exception and the browser shows me a basic auth login dialog,
that does not allow me to log in at all.
Any ideas? How can gather more information?
13:26:25,796 INFO [stdout] (default task-64) Debug is true storeKey true
useTicketCache false useKeyTab true doNotPrompt true ticketCache is null
isInitiator false KeyTab is /keytabs/SVC_KEYCLOAK_CI20_HTTP_IDP-UI.keytab
refreshKrb5Config is false principal is HTTP/SVC_KEYCLOAK_CI20.HH.
HANSEMERKUR.DE(a)HH.HANSEMERKUR.DE tryFirstPass is false useFirstPass is
false storePass is false clearPass is false
13:26:25,796 INFO [stdout] (default task-64) principal is
HTTP/SVC_KEYCLOAK_CI20.HH.HANSEMERKUR.DE(a)HH.HANSEMERKUR.DE
13:26:25,796 INFO [stdout] (default task-64) Will use keytab
13:26:25,796 INFO [stdout] (default task-64) Commit Succeeded
13:26:25,796 INFO [stdout] (default task-64)
13:19:24,501 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(default task-47) SPNEGO login failed: java.security.PrivilegedActionException:
GSSException: Defective token detected (Mechanism level: GSSHeader did not
find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(
SPNEGOAuthenticator.java:68)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(
LDAPStorageProvider.java:542)
at org.keycloak.credential.UserCredentialStoreManager.authenticate(
UserCredentialStoreManager.java:323)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.
authenticate(SpnegoAuthenticator.java:90)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(
DefaultAuthenticationFlow.java:184)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(
AuthenticationProcessor.java:792)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(
AuthenticationProcessor.java:667)
at org.keycloak.protocol.AuthorizationEndpointBase.
handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.
buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(
AuthorizationEndpoint.java:125)
at sun.reflect.GeneratedMethodAccessor615.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(
ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(
FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHand
ler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
er.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
er.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler
.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandle
r.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(
NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssocia
tionHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(
PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$
000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level:
GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(
GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(
GSSContextImpl.java:285)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.
establishContext(SPNEGOAuthenticator.java:172)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$
AcceptSecContext.run(SPNEGOAuthenticator.java:135)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$
AcceptSecContext.run(SPNEGOAuthenticator.java:125)
... 60 more
13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
Entering logout
13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
logged out Subject
12:26 p.m.
New subject: Kerberos Authentication throws Exception
I tweaked my config a bit and fixed an error there. It still doesn't work
correctly, but now I get an ICMP Error, after the SPNEGO Failure and a try
to login with username and password;
17:23:54,184 INFO [stdout] (default task-21) [Krb5LoginModule]
authentication failed
17:23:54,184 INFO [stdout] (default task-21) ICMP Port Unreachable
17:23:54,185 WARN [org.keycloak.services] (default task-21)
KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException:
Kerberos unreachable
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable(KerberosUsernamePasswordAuthenticator.java:108)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:94)
at
org.keycloak.storage.ldap.LDAPStorageProvider.validPassword(LDAPStorageProvider.java:512)
at
org.keycloak.storage.ldap.LDAPStorageProvider.isValid(LDAPStorageProvider.java:602)
at
org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:140)
at
org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:121)
at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:175)
at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:151)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76)
at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365)
at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:347)
at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:401)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.security.auth.login.LoginException: ICMP Port Unreachable
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.authenticateSubject(KerberosUsernamePasswordAuthenticator.java:128)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:90)
... 61 more
Caused by: java.net.PortUnreachableException: ICMP Port Unreachable
at java.net.PlainDatagramSocketImpl.receive0(Native Method)
at
java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:143)
at java.net.DatagramSocket.receive(DatagramSocket.java:812)
at sun.security.krb5.internal.UDPClient.receive(NetClient.java:206)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:411)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KdcComm.send(KdcComm.java:348)
at sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253)
at sun.security.krb5.KdcComm.send(KdcComm.java:229)
at sun.security.krb5.KdcComm.send(KdcComm.java:200)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
... 75 more
On 6 July 2017 at 17:21, Malte Finsterwalder <inofi(a)gmx.net> wrote:
Hi there,
I tried to configure Keycloak to authenticate against Windows Active
Directory using Kerberos credentials.
But I keep getting an Exception.
Setup is as follows:
I created a docker image based on jboss/keycloak-ha-postgres:2.5.5.Final.
In addition I installed freeipa-client and added a /etc/krb5.conf file as
well as my keytab file.
But when I configure Kerberos as required in the browser flow, I get the
following Exception and the browser shows me a basic auth login dialog,
that does not allow me to log in at all.
Any ideas? How can gather more information?
13:26:25,796 INFO [stdout] (default task-64) Debug is true storeKey true
useTicketCache false useKeyTab true doNotPrompt true ticketCache is null
isInitiator false KeyTab is /keytabs/SVC_KEYCLOAK_CI20_HTTP_IDP-UI.keytab
refreshKrb5Config is false principal is HTTP/SVC_KEYCLOAK_CI20.HH.HANS
EMERKUR.DE(a)HH.HANSEMERKUR.DE tryFirstPass is false useFirstPass is false
storePass is false clearPass is false
13:26:25,796 INFO [stdout] (default task-64) principal is
HTTP/SVC_KEYCLOAK_CI20.HH.HANSEMERKUR.DE(a)HH.HANSEMERKUR.DE
13:26:25,796 INFO [stdout] (default task-64) Will use keytab
13:26:25,796 INFO [stdout] (default task-64) Commit Succeeded
13:26:25,796 INFO [stdout] (default task-64)
13:19:24,501 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(default task-47) SPNEGO login failed: java.security.PrivilegedActionException:
GSSException: Defective token detected (Mechanism level: GSSHeader did not
find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.au
thenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(L
DAPStorageProvider.java:542)
at org.keycloak.credential.UserCredentialStoreManager.authentic
ate(UserCredentialStoreManager.java:323)
at org.keycloak.authentication.authenticators.browser.SpnegoAut
henticator.authenticate(SpnegoAuthenticator.java:90)
at org.keycloak.authentication.DefaultAuthenticationFlow.proces
sFlow(DefaultAuthenticationFlow.java:184)
at org.keycloak.authentication.AuthenticationProcessor.authenti
cateOnly(AuthenticationProcessor.java:792)
at org.keycloak.authentication.AuthenticationProcessor.authenti
cate(AuthenticationProcessor.java:667)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowse
rAuthenticationRequest(AuthorizationEndpointBase.java:123)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.b
uildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.
build(AuthorizationEndpoint.java:125)
at sun.reflect.GeneratedMethodAccessor615.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
thodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
ctorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
eMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
tObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
ceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
tObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
ceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
nousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
nousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
spatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
her.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
her.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
rvletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
oFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.d
oFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
oFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
terHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
dler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
eRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssoc
iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(P
redicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociat
ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationC
allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(P
redicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler
.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentiality
ConstraintHandler.handleRequest(ServletConfident
ialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandle
r.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.ha
ndleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssocia
tionHandler.handleRequest(AbstractSecurityContextAssociation
Handler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(P
redicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
ndler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(P
redicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(P
redicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
stRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
equest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$00
0(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
equest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
ge.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
Executor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
lExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level:
GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
Impl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
Impl.java:285)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.es
tablishContext(SPNEGOAuthenticator.java:172)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac
ceptSecContext.run(SPNEGOAuthenticator.java:135)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac
ceptSecContext.run(SPNEGOAuthenticator.java:125)
... 60 more
13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
Entering logout
13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
logged out Subject
1:51 a.m.
New subject: Kerberos Authentication throws Exception
Do you have "/etc/krb5.conf" file on the server where your Keycloak is
deployed? In this file you need to have configuration of kerberos realm
corresponding to the kerberos realm you used in the Keycloak LDAP
storage provider configuration. The host/port of kdc needs to be
accessible through network. The configuration of kdc in the
/etc/krb5.conf file can look like this for example:
KEYCLOAK.ORG={
kdc = localhost:6088
}
Marek
On 06/07/17 19:26, Malte Finsterwalder wrote:
I tweaked my config a bit and fixed an error there. It still
doesn't work
correctly, but now I get an ICMP Error, after the SPNEGO Failure and a try
to login with username and password;
17:23:54,184 INFO [stdout] (default task-21) [Krb5LoginModule]
authentication failed
17:23:54,184 INFO [stdout] (default task-21) ICMP Port Unreachable
17:23:54,185 WARN [org.keycloak.services] (default task-21)
KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException:
Kerberos unreachable
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable(KerberosUsernamePasswordAuthenticator.java:108)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:94)
at
org.keycloak.storage.ldap.LDAPStorageProvider.validPassword(LDAPStorageProvider.java:512)
at
org.keycloak.storage.ldap.LDAPStorageProvider.isValid(LDAPStorageProvider.java:602)
at
org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:140)
at
org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:121)
at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:175)
at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:151)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76)
at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365)
at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:347)
at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:401)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.security.auth.login.LoginException: ICMP Port Unreachable
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.authenticateSubject(KerberosUsernamePasswordAuthenticator.java:128)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:90)
... 61 more
Caused by: java.net.PortUnreachableException: ICMP Port Unreachable
at java.net.PlainDatagramSocketImpl.receive0(Native Method)
at
java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:143)
at java.net.DatagramSocket.receive(DatagramSocket.java:812)
at sun.security.krb5.internal.UDPClient.receive(NetClient.java:206)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:411)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KdcComm.send(KdcComm.java:348)
at sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253)
at sun.security.krb5.KdcComm.send(KdcComm.java:229)
at sun.security.krb5.KdcComm.send(KdcComm.java:200)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
... 75 more
On 6 July 2017 at 17:21, Malte Finsterwalder <inofi(a)gmx.net> wrote:
> Hi there,
>
> I tried to configure Keycloak to authenticate against Windows Active
> Directory using Kerberos credentials.
> But I keep getting an Exception.
>
> Setup is as follows:
>
> I created a docker image based on jboss/keycloak-ha-postgres:2.5.5.Final.
> In addition I installed freeipa-client and added a /etc/krb5.conf file as
> well as my keytab file.
>
> But when I configure Kerberos as required in the browser flow, I get the
> following Exception and the browser shows me a basic auth login dialog,
> that does not allow me to log in at all.
>
> Any ideas? How can gather more information?
>
> 13:26:25,796 INFO [stdout] (default task-64) Debug is true storeKey true
> useTicketCache false useKeyTab true doNotPrompt true ticketCache is null
> isInitiator false KeyTab is /keytabs/SVC_KEYCLOAK_CI20_HTTP_IDP-UI.keytab
> refreshKrb5Config is false principal is HTTP/SVC_KEYCLOAK_CI20.HH.HANS
> EMERKUR.DE(a)HH.HANSEMERKUR.DE tryFirstPass is false useFirstPass is false
> storePass is false clearPass is false
> 13:26:25,796 INFO [stdout] (default task-64) principal is
> HTTP/SVC_KEYCLOAK_CI20.HH.HANSEMERKUR.DE(a)HH.HANSEMERKUR.DE
> 13:26:25,796 INFO [stdout] (default task-64) Will use keytab
> 13:26:25,796 INFO [stdout] (default task-64) Commit Succeeded
> 13:26:25,796 INFO [stdout] (default task-64)
>
> 13:19:24,501 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
> (default task-47) SPNEGO login failed: java.security.PrivilegedActionException:
> GSSException: Defective token detected (Mechanism level: GSSHeader did not
> find the right tag)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.au
> thenticate(SPNEGOAuthenticator.java:68)
> at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(L
> DAPStorageProvider.java:542)
> at org.keycloak.credential.UserCredentialStoreManager.authentic
> ate(UserCredentialStoreManager.java:323)
> at org.keycloak.authentication.authenticators.browser.SpnegoAut
> henticator.authenticate(SpnegoAuthenticator.java:90)
> at org.keycloak.authentication.DefaultAuthenticationFlow.proces
> sFlow(DefaultAuthenticationFlow.java:184)
> at org.keycloak.authentication.AuthenticationProcessor.authenti
> cateOnly(AuthenticationProcessor.java:792)
> at org.keycloak.authentication.AuthenticationProcessor.authenti
> cate(AuthenticationProcessor.java:667)
> at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowse
> rAuthenticationRequest(AuthorizationEndpointBase.java:123)
> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.b
> uildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.
> build(AuthorizationEndpoint.java:125)
> at sun.reflect.GeneratedMethodAccessor615.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
> thodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
> ctorImpl.java:139)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
> (ResourceMethodInvoker.java:295)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
> eMethodInvoker.java:249)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> tObject(ResourceLocatorInvoker.java:138)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> ceLocatorInvoker.java:107)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> tObject(ResourceLocatorInvoker.java:133)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> ceLocatorInvoker.java:101)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> nousDispatcher.java:395)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> nousDispatcher.java:202)
> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
> spatcher.service(ServletContainerDispatcher.java:221)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> her.service(HttpServletDispatcher.java:56)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> her.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
> rvletHandler.java:85)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> oFilter(FilterHandler.java:129)
> at org.keycloak.services.filters.KeycloakSessionServletFilter.d
> oFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> oFilter(FilterHandler.java:131)
> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
> terHandler.java:84)
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
> dler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
> eRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow.security.SecurityContextAssoc
> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.servlet.handlers.security.SSLInformationAssociat
> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at io.undertow.servlet.handlers.security.ServletAuthenticationC
> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentiality
> ConstraintHandler.handleRequest(ServletConfident
> ialityConstraintHandler.java:64)
> at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.ha
> ndleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssociation
> Handler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
> ndler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
> stRequest(ServletInitialHandler.java:284)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
> equest(ServletInitialHandler.java:263)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
> 0(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
> equest(ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
> ge.java:793)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
> Executor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
> lExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: Defective token detected (Mechanism level:
> GSSHeader did not find the right tag)
> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
> Impl.java:306)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
> Impl.java:285)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.es
> tablishContext(SPNEGOAuthenticator.java:172)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac
> ceptSecContext.run(SPNEGOAuthenticator.java:135)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac
> ceptSecContext.run(SPNEGOAuthenticator.java:125)
> ... 60 more
>
> 13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
> Entering logout
> 13:26:25,798 INFO [stdout] (default task-64) [Krb5LoginModule]:
> logged out Subject
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2711
days inactive
2717
days old
2 comments
2 participants
participants (2)
-
Malte Finsterwalder -
Marek Posolda