[keycloak-user] New to Keycloak - stuck trying to setup SSO via Kerberos and Active Directory

mj lists at merit.unu.edu
Sat Apr 15 05:34:27 EDT 2017 

Some of my notes, but these are for samba4 AD:

>
>     add spn to account files, since id is running on the id.company.com machine:
>
> samba-tool spn add HTTP/id.samba.company.com id$
> samba-tool domain exportkeytab --principal HTTP/id.samba.company.com id.keytab
>
> List keys in id.keytab:
>
> root at dc4:~# klist -k ./id.keytab
> Keytab name: FILE:./id.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>   2 HTTP/id.samba.company.com at SAMBA.COMPANY.COM
>   2 HTTP/id.samba.company.com at SAMBA.COMPANY.COM
>   2 HTTP/id.samba.company.com at SAMBA.COMPANY.COM
>
> Make sure that a reverse dns exists! (so, in case you use id.company.com, add a reverse for id.company.com) Then:
>
> 2016-11-21 15:05:55,649 INFO  [org.keycloak.federation.ldap.LDAPIdentityStoreRegistry] (default task-3) Creating new LDAP based partition manager for the Federation provider: active directory, LDAP Configuration: {serverPrincipal=HTTP/id.copany.com at SAMBA.COMPANY.COM, pagination=true, connectionPooling=true, usersDn=cn=users,dc=samba,dc=company,dc=com, userAccountControlsAfterPasswordUpdate=true, useKerberosForPasswordAuthentication=false, bindDn=cn=service_account,cn=users,dc=samba,dc=company,dc=com, usernameLDAPAttribute=sAMAccountName, vendor=ad, uuidLDAPAttribute=objectGUID, allowKerberosAuthentication=true, connectionUrl=ldaps://localhost:636, syncRegistrations=false, authType=simple, debug=true, searchScope=1, keyTab=/usr/local/keycloak/standalone/configuration/id.keytab, useTruststoreSpi=ldapsOnly, kerberosRealm=SAMBA.COMPANY.COM, userObjectClasses=person, organizationalPerson, user, rdnLDAPAttribute=cn, editMode=READ_ONLY, batchSizeForSync=1000}
> 2016-11-21 15:05:55,746 INFO  [stdout] (default task-3) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /usr/local/keycloak/standalone/configuration/id.keytab refreshKrb5Config is false principal is HTTP/id.company.com at SAMBA.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> 2016-11-21 15:05:55,790 INFO  [stdout] (default task-3) principal is HTTP/id.company.com at SAMBA.COMPANY.COM
> 2016-11-21 15:05:55,790 INFO  [stdout] (default task-3) Will use keytab
> 2016-11-21 15:05:55,792 INFO  [stdout] (default task-3) Commit Succeeded
> 2016-11-21 15:05:55,792 INFO  [stdout] (default task-3)
> 2016-11-21 15:05:55,994 INFO  [stdout] (default task-3) 		[Krb5LoginModule]: Entering logout
> 2016-11-21 15:05:55,995 INFO  [stdout] (default task-3) 		[Krb5LoginModule]: logged out Subject

Goodluck,

MJ

More information about the keycloak-user mailing list