On 18/07/17 22:07, Steven Mirabito wrote: > Hey, > > I have Keycloak configured to check passwords against an MIT Kerberos > server in my user federation source, and that works fine. I then set the > Kerberos authentication type to "alternative" - most of our users will be > coming in from personal devices where they'll just log in via the form, but > we do have a shared machine where this would be nice to have. However, I > started receiving complaints that when this option is enabled, any browser > under Windows will show a basic auth dialog which the user has to cancel > out of to reach the login page (other platforms show a blank "Kerberos > Unsupported" page and then redirect to the normal login page without a > dialog). To make matters worse, I can't seem to turn the option off now - > switching the Kerberos auth type to "disabled" will work for a little bit, > but after a short period of time it will turn itself back on and users will > start to see the basic auth dialog again. > > Are these known issues? Ideally, I'd like to be able to have the Kerberos > auth type enabled, but a solution to keep it disabled in the meantime would > be greatly appreciated as well. For the first question, I don't know how to disable the basic auth prompt TBH. I didn't tested on Windows. Are all the browsers like IE, Firefox, Chrome behave like this or just IE?

Maybe there is some switch in Windows domain or in browser to disable those prompts. Checked some sites, but not sure what is relevant: https://www.lansweeper.com/kb/141/enabling-or-disabling-login-prompts.html . Other option is to change authentication flow and replace SpnegoAuthenticator with custom one, which will return header 400 instead of 401 . See this https://stackoverflow.com/questions/9859627/how-to-prevent-browser-to-inv... . However not sure if automatic kerberos/spnego authentication will still work in case that user has kerberos ticket, I guess likely not :/ For the second question, Kerberos authenticator is switched to ALTERNATIVE when you create or edit Kerberos federation provider or LDAP provider with Kerberos switched ON. So if you disable Kerberos on your LDAP storage provider or remove Kerberos provider, it won't change from DISABLED to ALTERNATIVE anymore. Marek > > Thank you! > -Steven > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

On 07/19/2017 10:45 AM, John Dennis wrote: > This is a known issue with just IE. I first became aware of it with > Red Hat's IPA product (I often work with that team). Let me ping > those folks and see if there is a known resolution. OK, I got an answer back, here is what was said: > https://bugzilla.redhat.com/show_bug.cgi?id=1309041 > > tl;dr it's a problem in IE, Edge, and Chrome on Windows. They both use > the same library to handle authenticate. HTTP Status Code 401 + > "WWW-Authenticate: Negotiate" header cause the log-in prompt to pop up. > I was even able to reproduce it with a very simple Python server that > just emits the status code and header. > > Until this issue is fixed by Microsoft, there is only one workaround: > use some sort of browser detection and don't return "WWW-Authenticate: > Negotiate" HTTP header for any IE, Edge, and Chrome on Windows.