[keycloak-user] Does Keycloak's SPNEGO support include fall-back to NTLM in absence of Kerberos?

Marek Posolda mposolda at redhat.com
Wed Jun 29 03:05:51 EDT 2016


I afraid that it won't work ATM. You can create JIRA for this though. 
However I am not sure if it's priority for us to do that.

Alternatively you can try to contribute this yourself. Maybe the only 
required thing will be to add NTLM OID ( 1.3.6.1.4.1.311.2.2.10 ) to the 
list here 
https://github.com/keycloak/keycloak/blob/master/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/SPNEGOAuthenticator.java#L169 
. However I afraid it likely won't be that easy...

Marek

On 28/06/16 17:47, Guy Davis wrote:
> Good day,
>
> For sake of argument, assume that someone has set up a MS Active 
> Directory domain with Kerberos disabled, but NTLM still enabled.  In 
> that situation, would a user browsing to a Keycloak-protected 
> application, with LDAP+SPNEGO enabled (against that MS AD system) 
> still allow for Integrated Windows Authentication (auto-login without 
> prompt) to web application?
>
> Thanks much,
> Guy
>
> <re-sending today as same message yesterday didn't make it through to 
> the list>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160629/d44ad489/attachment.html 


More information about the keycloak-user mailing list