[keycloak-dev] Only first of multiple Kerberos federations can authenticate
Jim Groffen
jim.groffen at gmail.com
Wed May 9 05:13:09 EDT 2018
Hello again,
I have a need to define two (or more) Kerberos federations to support
Kerberos service tickets from either realm. I have a different keytab file
for each realm.
Lets say I create a federation for REALM A with priority 1, and a second
federation for REALM B with priority 2.
When I attempt authentication as a user from REALM A I have no problem, but
a user from REALM B fails.
Checking the logs I can see that KeyCloak attempts to decrypt the REALM B
service ticket with the REALM A keytab and fails. Instead of moving on to
the lower priority REALM B federation, the Kerberos step of the auth flow
fails and moves on to the next step.
Should I raise a new JIRA issue for this problem?
I have successfully fixed this problem in my environment, but I am unsure
as to which approach is best, and want to make sure I'm fixing the issue
for everyone not just myself. Here are two options:
1: Only allow lower priority federations to attempt auth in certain
situations
This solution detects why authentication failed and will only let other
federations attempt authentication if the ticket couldn't be decrypted -
indicating the ticket received was likely encrypted with a different key:
https://github.com/jgroffen/keycloak/commit/9860189b7075c8f5a55f542cc68d5926584b2f65
2: Let all Kerberos federations attempt auth in priority order until one
succeeds or all fail.
https://github.com/jgroffen/keycloak/commit/5fa98dd429acb220ce06186639540e5d74252c8b
Are either of these solutions viable?
I found both Kerberos and LDAP federations with Kerberos enabled affected,
so I'm looking at fixing both.
Cheers,
More information about the keycloak-dev
mailing list