10:30 p.m.
Downgrading is not an option as RHSSO 7.1 supports only openjdk 1.8.
After updating to latest 1.8 via RHEL repo and restarting keycloak it appears working.
What version of JDK are you using?
-----Original Message-----
From: Adam Keily
Sent: Thursday, 4 May 2017 9:01 AM
To: 'Marek Posolda' <mposolda(a)redhat.com>
Subject: RE: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
We were getting the same issue with RHSSO 7.1 (Keycloak 2.5.5.) on RHEL7. I believe
it's related to this bug in JDK 1.8. https://bugs.openjdk.java.net/browse/JDK-8078439
For us, downgrading to JDK 1.7 fixed the issue. As long as you use v 1.8.0_31 or earlier I
think you'll be ok.
Adam
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Marek Posolda
Sent: Wednesday, 3 May 2017 4:24 PM
To: Hendrik Dev <hendrikdev22(a)gmail.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
Sorry, I don't have much to add :( It seems you would need to fix your environment and
windows domain configuration to use Kerberos/SPNEGO tokens instead of NTLM. Few posts with
possible tips&tricks I found during quick googling:
http://jasig.275507.n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-...
http://stackoverflow.com/questions/17340564/why-does-ie-not-send-the-kerb...
https://archive.sap.com/discussions/thread/998107
Marek
On 02/05/17 17:04, Hendrik Dev wrote:
bump
On Thu, Apr 27, 2017 at 12:35 PM, Hendrik Dev <hendrikdev22(a)gmail.com> wrote:
> On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda(a)redhat.com> wrote:
>> On 24/04/17 18:55, Hendrik Dev wrote:
>>> Hi,
>>>
>>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>>> Purpose is to provide single sign on for users logging in via IE
>>> from a windows domain.
>>> Keycloak itself is running on centOS, Kerberos server is Active
>>> Directory. The setup is working so far because i can login via
>>> 'curl --negotiate'. There are also several other java applications
>>> running in this environment which are capable of doing SPNEGO over
>>> Kerberos authentication successfully.
>>>
>>> If the user access a Keycloak protected application the SPNEGO
>>> login does not work and the Keycloak login page is displayed instead.
>>> In the logs i see "Defective token detected (Mechanism level:
>>> GSSHeader did not find the right tag)" and thats totally right
>>> because the browser sends
>>> 'Negotiate:
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>>
>>> For me it looks like the browser never gets either a
>>> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
>>> In other words: The browser seems to never gets challenged to do
>>> SPNEGO over Kerberos.
>> I will try to summarize if I understand correctly:
>> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
>> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
>> Negotiate ntlm-token-is-here"
>> 3) Keycloak replied with "WWW-Authenticate: Negotiate
>> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
>> 4) Your browser didn't reply anything back
>>
>> Is it correct?
> Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from
keycloak.
> As i said, the browser does not get a challenge.
>
>
>
>> It seems that your browser doesn't have kerberos ticket, hence
>> that's why it uses NTLM instead. I think the best would be to fix
>> your environment, so that it will send Kerberos token instead of NTLM at the step
2.
>>
>> Marek
>>
>>> I already tried to fix it
>>>
>>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad
>>> 2ae25ce0d9cd703) but this oddly just ends up in a Basic Auth popup
>>> from the browser.
>>> For the client app the standard flow as well as direct access
>>> grants is enabled.
>>>
>>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>>
>>> Any ideas?
>>>
>>> Thanks
>>> Hendrik
>>>
>
>
> --
> Hendrik Saly (salyh, hendrikdev22)
> @hendrikdev22
> PGP: 0x22D7F6EC
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
5:38 a.m.
New subject: Kerberos/SPNEGO Problem with Keycloak 3.0.0
Hi Adam,
i tried 1.8.0_31 but it does not work. Currently we use
java-1.8.0-openjdk-1.8.0.131-2.b11.el7_3.x86_64
Here are screenshots of the request flow (reg1.uat.xxx ist the secured
application):
On Thu, May 4, 2017 at 5:30 AM, Adam Keily <adam.keily(a)adelaide.edu.au> wrote:
Downgrading is not an option as RHSSO 7.1 supports only openjdk 1.8.
After updating to latest 1.8 via RHEL repo and restarting keycloak it appears working.
What version of JDK are you using?
-----Original Message-----
From: Adam Keily
Sent: Thursday, 4 May 2017 9:01 AM
To: 'Marek Posolda' <mposolda(a)redhat.com>
Subject: RE: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
We were getting the same issue with RHSSO 7.1 (Keycloak 2.5.5.) on RHEL7. I believe
it's related to this bug in JDK 1.8. https://bugs.openjdk.java.net/browse/JDK-8078439
For us, downgrading to JDK 1.7 fixed the issue. As long as you use v 1.8.0_31 or earlier
I think you'll be ok.
Adam
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org
[mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Marek Posolda
Sent: Wednesday, 3 May 2017 4:24 PM
To: Hendrik Dev <hendrikdev22(a)gmail.com>
Cc: keycloak-user(a)lists.jboss.org
Subject: Re: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
Sorry, I don't have much to add :( It seems you would need to fix your environment
and windows domain configuration to use Kerberos/SPNEGO tokens instead of NTLM. Few posts
with possible tips&tricks I found during quick googling:
http://jasig.275507.n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-...
http://stackoverflow.com/questions/17340564/why-does-ie-not-send-the-kerb...
https://archive.sap.com/discussions/thread/998107
Marek
On 02/05/17 17:04, Hendrik Dev wrote:
> bump
>
> On Thu, Apr 27, 2017 at 12:35 PM, Hendrik Dev <hendrikdev22(a)gmail.com> wrote:
>> On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda(a)redhat.com>
wrote:
>>> On 24/04/17 18:55, Hendrik Dev wrote:
>>>> Hi,
>>>>
>>>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>>>> Purpose is to provide single sign on for users logging in via IE
>>>> from a windows domain.
>>>> Keycloak itself is running on centOS, Kerberos server is Active
>>>> Directory. The setup is working so far because i can login via
>>>> 'curl --negotiate'. There are also several other java
applications
>>>> running in this environment which are capable of doing SPNEGO over
>>>> Kerberos authentication successfully.
>>>>
>>>> If the user access a Keycloak protected application the SPNEGO
>>>> login does not work and the Keycloak login page is displayed instead.
>>>> In the logs i see "Defective token detected (Mechanism level:
>>>> GSSHeader did not find the right tag)" and thats totally right
>>>> because the browser sends
>>>> 'Negotiate:
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>>>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>>>
>>>> For me it looks like the browser never gets either a
>>>> 'WWW-Authenticate: Negotiate' header or a 401 status from
Keycloak.
>>>> In other words: The browser seems to never gets challenged to do
>>>> SPNEGO over Kerberos.
>>> I will try to summarize if I understand correctly:
>>> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
>>> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
>>> Negotiate ntlm-token-is-here"
>>> 3) Keycloak replied with "WWW-Authenticate: Negotiate
>>> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
>>> 4) Your browser didn't reply anything back
>>>
>>> Is it correct?
>> Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from
keycloak.
>> As i said, the browser does not get a challenge.
>>
>>
>>
>>> It seems that your browser doesn't have kerberos ticket, hence
>>> that's why it uses NTLM instead. I think the best would be to fix
>>> your environment, so that it will send Kerberos token instead of NTLM at the
step 2.
>>>
>>> Marek
>>>
>>>> I already tried to fix it
>>>>
>>>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad
>>>> 2ae25ce0d9cd703) but this oddly just ends up in a Basic Auth popup
>>>> from the browser.
>>>> For the client app the standard flow as well as direct access
>>>> grants is enabled.
>>>>
>>>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>>>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>>>
>>>> Any ideas?
>>>>
>>>> Thanks
>>>> Hendrik
>>>>
>>
>>
>> --
>> Hendrik Saly (salyh, hendrikdev22)
>> @hendrikdev22
>> PGP: 0x22D7F6EC
>
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
Hendrik Saly (salyh, hendrikdev22)
@hendrikdev22
PGP: 0x22D7F6EC
2581
days inactive
2581
days old
1 comments
2 participants
participants (2)
-
Adam Keily -
Hendrik Dev