[keycloak-user] New to Keycloak - stuck trying to setup SSO via Kerberos and Active Directory
Consolodated Emails
unimail at edgestep.com
Thu Apr 13 19:19:33 EDT 2017
Hi all,
I have a big project due by end of the week and the last item I have to
deliver is Single Sign On for Active Directory users using IE,Firefox &
Chrome. I am able to login to my application if i use the Keycloak login
form but I can't get it to auto login. If I set Kerberos to Required under
Authentication, I get an error saying Kerberos is not setup. You cannot
login.
Currently I'm investigating these as possible causes:
my browser doesn't seem to be passing Kerberos to Keycloak. I'm using
Fiddler to check headers but I can't get a clear understanding of what I
should look for. The best I can tell WWW-Authenticate Negotiate being sent
to me in the 401 response. I guess my browser isn't sending the Kerberos
credentials.
I'm using a NGINX proxy in front of my application. I've found some
evidence of people updating configuration files in order to make this work
properly. But I'm not sure this applies to me, since my proxy doesn't sit
in front of the keycloak server.
https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile/
/jboss/keycloak/standalone/configuration/standalone.xml
I don't think Kerberos is setup up properly under User Federation/Active
Directory (my LDAP's Config name).
II pieced together some information from Matt's article on using Keycloak
to authenticate with AD. He didn't go in to any detail about Kerberos
configuration for Active Directory. One line "Configure the Kerberos
integration like this:" and a screenshot is all I had to work with. After
doing some reading I'm left to think there is an important step that is
left out of all the articles, forum posts, user manual, etc. From what I
can tell I have to run a command in the container to create a Keytab and it
has to have the proper permissions for Keycloak to access it. I also think
I have to setup /etc/kerb5.conf but I'm not sure what I need to do exactly.
I can't find an article directly discussing Keycloak.
http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html
My Env:
Windows Server 2012 R2
AWS Ec2
Active Directory
Pseudo workstation (I'm logging on as a non-domain admin for testing).
Keycloak
AWS Ec2
Docker - Jboss/Keycloak:latest
Ubuntu 16:04 Host:
Container is Redhat based (obviously it's jboss).
Ruby on Rails 1.8.7 application
AWS Ec2
Nginx Proxy in front of it.
OpenID client connected to KeyCloak
Under User Federation:
I've created an Active Directory Provider, it's able to sync users from my
test Active Directory.
Authentication:
Kereberos
Any help would be really appreciated.. I'm in a real tough spot on this
project.
-Dustin
More information about the keycloak-user
mailing list