Its unfortunately part of the spnego protocol:
The server responds with a 401 and then the browser tries authenticating with Kerberos.
The server has no idea if the client trusts it for Kerberos or not until after the 401 and
then a negotiation is started.
Best bet would be to somehow configure it as one possible login button that a user could
From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on
behalf of Janik [janik-keycloak(a)familie-krallmann.de]
Sent: Thursday, February 28, 2019 11:53 AM
Subject: [keycloak-user] Authentication with Kerberos and login screen fallback
I have an web application where I'd like to use Keycloak for
authentication. If possible the user should login via Kerberos. If not
use login screen.
On my computer I have a valid Kerberos ticket and the login works fine.
If I try to login for example from another device I always get the
error-code 401. I expected to get the login screen instead. If I
configure the trusted-uris on these device the login screen appears.
I successfully configured an LDAP User Federation provider with Kerberos
integration. I used this instructions
to create the authentication flows.
Is it possible to use Kerberos authentication from known devices and use
the login screen from unknown devices where I can't configure
trusted-uris? One example could be my mobile phone where I'm not able to
Thanks in advance.
keycloak-user mailing list