[keycloak-user] New to Keycloak - stuck trying to setup SSO via Kerberos and Active Directory

Marko Strukelj mstrukel at redhat.com
Fri Apr 14 05:30:39 EDT 2017


One source of information you did not mention and might help you is
Keycloak documentation:

https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/user-federation/ldap.html
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/kerberos.html


There is also an example for Kerberos:
https://github.com/keycloak/keycloak/tree/3.0.0.Final/examples/kerberos

And you may also want to check out our blog at http://blog.keycloak.org/
for articles on MSAD integration.


On Fri, Apr 14, 2017 at 1:19 AM, Consolodated Emails <unimail at edgestep.com>
wrote:

> Hi all,
>
> I have a big project due by end of the week and the last item I have to
> deliver is Single Sign On for Active Directory users using IE,Firefox &
> Chrome. I am able to login to my application if i use the Keycloak login
> form but I can't get it to auto login. If I set Kerberos to Required under
> Authentication, I get an error saying Kerberos is not setup. You cannot
> login.
>
> Currently I'm investigating these as possible causes:
> my browser doesn't seem to be passing Kerberos to Keycloak. I'm using
> Fiddler to check headers but I can't get a clear understanding of what I
> should look for. The best I can tell WWW-Authenticate Negotiate being sent
> to me in the 401 response. I guess my browser isn't sending the Kerberos
> credentials.
>
> I'm using a NGINX proxy in front of my application. I've found some
> evidence of people updating configuration files in order to make this work
> properly. But I'm not sure this applies to me, since my proxy doesn't sit
> in front of the keycloak server.
> https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile/
> /jboss/keycloak/standalone/configuration/standalone.xml
>
> I don't think Kerberos is setup up properly under User Federation/Active
> Directory (my LDAP's Config name).
> II pieced together some information from Matt's article on using Keycloak
> to authenticate with AD. He didn't go in to any detail about Kerberos
> configuration for Active Directory. One line "Configure the Kerberos
> integration like this:" and a screenshot is all I had to work with. After
> doing some reading I'm left to think there is an important step that is
> left out of all the articles, forum posts, user manual, etc. From what I
> can tell I have to run a command in the container to create a Keytab and it
> has to have the proper permissions for Keycloak to access it. I also think
> I have to setup /etc/kerb5.conf but I'm not sure what I need to do exactly.
> I can't find an article directly discussing Keycloak.
>
> http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-
> with.html
>
> My Env:
> Windows Server 2012 R2
> AWS Ec2
> Active Directory
> Pseudo workstation (I'm logging on as a non-domain admin for testing).
>
> Keycloak
> AWS Ec2
> Docker - Jboss/Keycloak:latest
> Ubuntu 16:04 Host:
> Container is Redhat based (obviously it's jboss).
>
> Ruby on Rails 1.8.7 application
> AWS Ec2
> Nginx Proxy in front of it.
> OpenID client connected to KeyCloak
>
>
> Under User Federation:
> I've created an Active Directory Provider, it's able to sync users from my
> test Active Directory.
>
> Authentication:
> Kereberos
>
> Any help would be really appreciated.. I'm in a real tough spot on this
> project.
>
> -Dustin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


More information about the keycloak-user mailing list