Hi, I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-... In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings<http://i.imgur.com/hgAnHJJ.png>;. But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login." After enabling -Dsun.security.krb5.debug=true and -Dsun.security.spenego.degug=true and change Kerberos authentication from required to alternative, the server log is the following: 13:17:06,116 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (defaul t task-17) Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP C onfiguration: {serverPrincipal=[HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.L OCAL], pagination=[true], fullSyncPeriod=[-1], connectionPooling=[true], usersDn =[dc=sanbox,dc=local], cachePolicy=[DEFAULT], useKerberosForPasswordAuthenticati on=[true], importEnabled=[true], enabled=[true], bindDn=[CN=keycloak,CN=Users,DC =sanbox,DC=local], usernameLDAPAttribute=[cn], changedSyncPeriod=[-1], lastSync= [1530011208], vendor=[ad], uuidLDAPAttribute=[objectGUID], allowKerberosAuthenti cation=[true], connectionUrl=[ldap://sb-ad.sanbox.local:389], syncRegistrations= [false], authType=[simple], debug=[true], searchScope=[2], useTruststoreSpi=[lda psOnly], keyTab=[C:\\keycloak.keytab], kerberosRealm=[SANBOX.LOCAL], priority=[0 ], userObjectClasses=[person, organizationalPerson, user], rdnLDAPAttribute=[cn] , editMode=[WRITABLE], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: [] 13:17:06,135 INFO [stdout] (default task-17) Debug is true storeKey true useTi cketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\\keycloak.keytab refreshKrb5Config is false principal is HTTP S/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL tryFirstPass is false useFirstP ass is false storePass is false clearPass is false 13:17:06,138 INFO [stdout] (default task-17) principal is HTTPS/facultativoskey cloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,139 INFO [stdout] (default task-17) Will use keytab 13:17:06,140 ERROR [stderr] (default task-17) [LoginContext]: login success 13:17:06,142 INFO [stdout] (default task-17) Commit Succeeded 13:17:06,142 INFO [stdout] (default task-17) 13:17:06,143 ERROR [stderr] (default task-17) [LoginContext]: commit success 13:17:06,150 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,151 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,153 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,154 INFO [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo r HTTPS/facultativoskeycloak.sanbox.local(a)SANBOX.LOCAL 13:17:06,157 INFO [stdout] (default task-17) Entered SpNegoContext.acceptSecCon text with state=STATE_NEW 13:17:06,158 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: re ceiving token = a0 6b 30 69 a0 30 30 2e 06 0a 2b 06 01 04 01 82 37 02 02 0a 06 0 9 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a 2b 06 01 04 01 82 37 02 02 1e a2 35 04 33 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 b2 08 e2 06 00 06 00 2d 00 00 00 05 00 05 00 28 00 00 00 06 03 80 25 00 00 00 0f 53 42 2d 4 7 49 53 41 4e 42 4f 58 13:17:06,160 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10 13:17:06,162 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2 13:17:06,164 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2 13:17:06,164 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30 13:17:06,165 INFO [stdout] (default task-17) SpNegoToken NegTokenInit: reading Mech Token 13:17:06,165 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: re ceived token of type = SPNEGO NegTokenInit 13:17:06,166 INFO [stdout] (default task-17) SpNegoContext: negotiated mechanis m = 1.2.840.113554.1.2.2 13:17:06,166 INFO [stdout] (default task-17) The underlying mechanism context h as not been initialized 13:17:06,168 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: me chanism wanted = 1.2.840.113554.1.2.2 13:17:06,170 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: ne gotiated result = ACCEPT_INCOMPLETE 13:17:06,172 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: se nding token of type = SPNEGO NegTokenTarg 13:17:06,172 INFO [stdout] (default task-17) SpNegoContext.acceptSecContext: se nding token = a1 14 30 12 a0 03 0a 01 01 a1 0b 06 09 2a 86 48 86 f7 12 01 02 02 13:17:06,173 INFO [stdout] (default task-17) [Krb5LoginModule]: Enter ing logout 13:17:06,174 INFO [stdout] (default task-17) [Krb5LoginModule]: logge d out Subject 13:17:06,175 ERROR [stderr] (default task-17) [LoginContext]: logout success Aditional information: +Keycloak is installed in Windows Server 2012. +Command to create keytabfile: ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local@SANBOX.LOCAL<mailto:HTTP/facultativoskeycloak.sanbox.local@SANBOX.LOCAL> -mapUser Keycloak@SANBOX.LOCAL<mailto:Keycloak@SANBOX.LOCAL> -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT +Configuration KRB5.ini located in c:\windows [domain_realm] .sanbox.local = SANBOX.LOCAL sanbox.local = SANBOX.LOCAL [libdefaults] default_realm = SANBOX.LOCAL permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 [realms] SANBOX.LOCAL = { kdc = sb-ad.sanbox.local admin_server = sb-ad.sanbox.local default_domain = SANBOX.LOCAL } +Kerberos Integration: Allow Kerberos authentication: YES Kerberos Realm SANBOX.LOCAL Server Principal HTTPS/facultativoskeycloak.sanbox.local@SANBOX.LOCAL<mailto:HTTPS/facultativoskeycloak.sanbox.local@SANBOX.LOCAL> KeyTab C:/keycloak.keytab Debug YES Use Kerberos For Password Authentication YES Regards AVISO LEGAL El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido. LEGAL NOTICE The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.