[keycloak-user] Keycloak single sign on with Keberos(AD)
Zhou, Limin (Ray)
raymond.zhou at moneris.com
Thu Jul 28 13:42:03 EDT 2016
Hello Marek or anyone else
I was busy with something else in the past days, right now I am backing to this single sign-on again, according to our sys admin, they don’t see any configuration issues on the AD side, so by test it again
I have a lot of questions around it, could you please take a look and give me some insight look, thanks ahead.
the log can be divided into 4 parts
part1 : begin - 10:47:25,500 (started the server)
part2 : 10:49:29,067 - 10:49:29,160 (open IE and hit application url) failed to login automatically, prompt to login page, in here beside the exception I am not able to see more handshake message between keycloak and browser, why? should I turn on more logging?
part3 : 10:50:22,306 - 10:50:23,476 (first try by entering username/password) failed to login manually, back to login page, from here I can see some token had been read, but it failed at the end
part4 : 10:50:41,736 - end (second try by entering username/password) succeeded to login, could you please explain why it succeeded this time.
P.S please find the latest log from the attachment
raymond
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Thursday, June 30, 2016 5:14 AM
To: Zhou, Limin (Ray)
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak single sign on with Keberos(AD)
Adding list back again for tracking (Ray, please use "Reply all" when reply to the mails).
From my googling, it seems that DefectiveTokenDetected can happen for NTLM requests as well. Btv. I found some tips on StackOverflow how to prevent use NTLM instead of Kerberos5 http://stackoverflow.com/questions/2973355/defective-token-deteced-error-ntlm-not-kerberos-with-kerberos-spring-securit . Maybe something from those will help:
- Use different machines for client (browser) and keycloak server
- Ensure both machines are in windows domain
- Use some different encryptions in kerberos client file. ( krb5.ini ) file. The post mentions "arcfour-hmac-md5" however the post is 6 years old :) Still it might help to add/remove some encryptions from krb5.ini file and check if client machine and IE will use krb5 ticket instead of NTLM
- Fix DNS records or "SPN records" (I don't have a clue what it is :) So see post for more details)
Marek
On 29/06/16 16:41, Zhou, Limin (Ray) wrote:
Marek
I sent you two log files yesterday via two emails, I am able to see your analysis(such OID etc.) from the first log, but not the second logs, in the second log we were getting GSSException instead of the hand shake message, I am wondering why it likes this, and are they the same thing regarding my issues?
Sorry to disturb you again
Raymond
P.S I have attached the two logs again for you to reference
From: Zhou, Limin (Ray)
Sent: Wednesday, June 29, 2016 10:18 AM
To: 'Marek Posolda'
Subject: RE: [keycloak-user] Keycloak single sign on with Keberos(AD)
Marek
Thank you so much for your analysis, I am wondering whether you can tell me how you mapped your diagnose with the server.log line#? I think this will help us more when we tuning either our bowser and domain setting, because I cannot see any 401 heading, first OID, the KRB5 OLD from the log file
Really appreciate your help
Raymond
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Wednesday, June 29, 2016 4:01 AM
To: Zhou, Limin (Ray)
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak single sign on with Keberos(AD)
Hi Raymond,
returning keycloak-user list back for tracking purposes.
What I can see in the server.log is happening is that:
- Keycloak ask browser to send SPNEGO token (by sending 401 with "WWW-Authenticate: Negotiate" header). So far everything as expected
- Browser replies with SPNEGO token, however it uses NTLM as the preferred choice ( First OID is 1.3.6.1.4.1.311.2.2.10 ) together with NTLM token. The KRB5 OID ( 1.2.840.113554.1.2.2 ) is in the supported mechanisms too.
- Keycloak replies with NegTokenTarg token when it's asking for sending SPNEGO token backed by KRB5 instead of NTLM (as Keycloak doesn't understant NTLM atm. There is related discussion on keycloak-user http://lists.jboss.org/pipermail/keycloak-user/2016-June/006758.html )
- Browser doesn't respond to NegTokenTarg with SPNEGO+KRB5 token anymore
Not sure what are your possibilities TBH. Either somehow setup browser to reply to second request with NegTokenTarg and send SPNEGO+KRB5 token. Or re-configure your Windows domain (or client machines + browser) to skip using NTLM. Right now, I don't have any clue how to do that TBH.
Marek
On 28/06/16 21:58, Zhou, Limin (Ray) wrote:
Hi Marek
If you haven’t looked at my previous server.log, then use this one instead, in this log we were getting an exception
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
When we hit the url, maybe this will make things easier
Please let me know if you need anything more
Thanks a lot
Raymond
From: Zhou, Limin (Ray)
Sent: Tuesday, June 28, 2016 10:00 AM
To: 'Marek Posolda'
Subject: RE: [keycloak-user] Keycloak single sign on with Keberos(AD)
Hi Marek
I have attached my keycloak server log to you, after adding the two properties, we can see an exception shows up when I hitting my url, after the exception, I think the default keycloak login page shows up, and rest of the log were generated by my manual login
Hope this can give us some clue
Thanks a lot
Raymond
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Tuesday, June 28, 2016 1:43 AM
To: Zhou, Limin (Ray)
Subject: Re: [keycloak-user] Keycloak single sign on with Keberos(AD)
Thanks Raymond,
is it possible to also enable the system properties -Dsun.security.krb5.debug=true and -Dsun.security.spnego.debug=true and see if there are some more details in the log? You can add system properties either directly to standalone/configuration/standalone.xml file or by adding them to java opts in bin/standalone.conf
Thanks,
Marek
On 27/06/16 23:18, Zhou, Limin (Ray) wrote:
Hello Marek
Thanks for answering my post, following are the log piece after hitting the first page, hope this helps.
Please let me know if you need anything more
Thank you so much
Raymond
2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\FIRMS-domain\kcsso.keytab refreshKrb5Config is false principal is HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM<mailto:HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM> tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2016-06-27 17:11:13,453 INFO [stdout] (default task-24) principal is HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM<mailto:HTTP/t430-pbdc41e.monad.moneris.com at MONAD.MONERIS.COM>
2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Will use keytab
2016-06-27 17:11:13,453 INFO [stdout] (default task-24) Commit Succeeded
2016-06-27 17:11:13,453 INFO [stdout] (default task-24)
2016-06-27 17:11:13,454 INFO [stdout] (default task-24) [Krb5LoginModule]: Entering logout
2016-06-27 17:11:13,454 INFO [stdout] (default task-24) [Krb5LoginModule]: logged out Subject
From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Monday, June 27, 2016 5:55 AM
To: Zhou, Limin (Ray); keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Keycloak single sign on with Keberos(AD)
It may help if you enable all the possible debug/trace logging and post the log here. This may give more info what is the issue. See docs how to enable logging : https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/topics/authentication/kerberos.html
Try to send the log from the point once you trigger the authentication request (or from the point when you hit your app URL)
Thanks,
Marek
On 24/06/16 20:22, Zhou, Limin (Ray) wrote:
Hello everyone
I am new to Keycloak and new to here
Our web application is running on Jboss EAP 7, We have configured KeyCloak standalone server 1.9.7 running on different port(same server box) to manage the user authentication and authorization, behind KeyCloak we have configured Keberos in User Federation to talk our company AD server, we are able to login by using our AD account, but not in single sign on way, each time when we hitting the our app URL, the Keycloak login page will show up.
It looks like the TGT or ST hand shake was not successful, is there any document I can reference it to debug the issue?
Any comments or suggestion would be very welcome
thanks in advance
raymond
________________________________
Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com<http://www.moneris.com> 1-866-319-7450
If you wish to unsubscribe from future updates from Moneris, please click here<https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>. Please see the Moneris Privacy Policy here<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
________________________________
Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com<http://www.moneris.com> 1-866-319-7450
Si vous désirez enlever votre nom de la liste d’envoi de Moneris, veuillez cliquer ici<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>. Veuillez consulter la Politique de confidentialité de Moneris ici<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
Ce courriel peut contenir des renseignements confidentiels ou privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune obligation connexe. La distribution, l’utilisation ou la reproduction du présent courriel ou des renseignements qu’il contient par une personne autre que son destinataire prévu sont interdites. Si vous avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement (par retour de courriel ou autrement).
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com<http://www.moneris.com> 1-866-319-7450
If you wish to unsubscribe from future updates from Moneris, please click here<https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>. Please see the Moneris Privacy Policy here<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
________________________________
Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com<http://www.moneris.com> 1-866-319-7450
Si vous désirez enlever votre nom de la liste d’envoi de Moneris, veuillez cliquer ici<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>. Veuillez consulter la Politique de confidentialité de Moneris ici<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
Ce courriel peut contenir des renseignements confidentiels ou privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune obligation connexe. La distribution, l’utilisation ou la reproduction du présent courriel ou des renseignements qu’il contient par une personne autre que son destinataire prévu sont interdites. Si vous avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement (par retour de courriel ou autrement).
________________________________
Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com<http://www.moneris.com> 1-866-319-7450
If you wish to unsubscribe from future updates from Moneris, please click here<https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>. Please see the Moneris Privacy Policy here<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
________________________________
Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com<http://www.moneris.com> 1-866-319-7450
Si vous désirez enlever votre nom de la liste d’envoi de Moneris, veuillez cliquer ici<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>. Veuillez consulter la Politique de confidentialité de Moneris ici<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
Ce courriel peut contenir des renseignements confidentiels ou privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune obligation connexe. La distribution, l’utilisation ou la reproduction du présent courriel ou des renseignements qu’il contient par une personne autre que son destinataire prévu sont interdites. Si vous avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement (par retour de courriel ou autrement).
________________________________
Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com<http://www.moneris.com> 1-866-319-7450
If you wish to unsubscribe from future updates from Moneris, please click here<https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>. Please see the Moneris Privacy Policy here<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
________________________________
Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com<http://www.moneris.com> 1-866-319-7450
Si vous désirez enlever votre nom de la liste d’envoi de Moneris, veuillez cliquer ici<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>. Veuillez consulter la Politique de confidentialité de Moneris ici<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA%20>.
Ce courriel peut contenir des renseignements confidentiels ou privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune obligation connexe. La distribution, l’utilisation ou la reproduction du présent courriel ou des renseignements qu’il contient par une personne autre que son destinataire prévu sont interdites. Si vous avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement (par retour de courriel ou autrement).
________________________________
Moneris Solutions Corporation | 3300 Bloor Street West | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
If you wish to unsubscribe from future updates from Moneris, please click here<https://www.moneris.com/en/About-Moneris/Contact-Moneris/Unsubscribe.aspx>. Please see the Moneris Privacy Policy here<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx>.
This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately.
________________________________
Corporation Solutions Moneris | 3300, rue Bloor Ouest | Toronto | Ontario | M8X 2X2 | Canada www.moneris.com 1-866-319-7450
Si vous désirez enlever votre nom de la liste d’envoi de Moneris, veuillez cliquer ici<https://www.moneris.com/about-moneris/contact-moneris/unsubscribe?sc_lang=fr-CA>. Veuillez consulter la Politique de confidentialité de Moneris ici<http://www.moneris.com/Home/Legal/Website-Policies/Privacy-Policy.aspx?sc_lang=fr-CA>.
Ce courriel peut contenir des renseignements confidentiels ou privilégiés, et son expéditeur ne renonce à aucun droit ni à aucune obligation connexe. La distribution, l’utilisation ou la reproduction du présent courriel ou des renseignements qu’il contient par une personne autre que son destinataire prévu sont interdites. Si vous avez reçu ce courriel par erreur, veuillez m’en aviser immédiatement (par retour de courriel ou autrement).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160728/dc0c1496/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 07-28.log
Type: application/octet-stream
Size: 52073 bytes
Desc: 07-28.log
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20160728/dc0c1496/attachment-0001.obj
More information about the keycloak-user
mailing list