[keycloak-user] New to Keycloak - stuck trying to setup SSO via Kerberos and Active Directory
Marek Posolda
mposolda at redhat.com
Wed Apr 19 16:02:07 EDT 2017
On 14/04/17 13:29, Consolodated Emails wrote:
> Marko,
>
> Thank you for those links. I have come across them and have been using them
> as reference.
>
> I'm pretty sure I have LDAP working. Those instructions are very complete.
> I can sync users and then authenticate to my app using those credentials.
> When I update a user in Active Directory I can sync those changes to
> Keycloak.
>
> Where I'm stuck is the Kerberos setup & configuration. I could use more
> information on how to install, configure it and what commands to run, etc.
> The articles you posted are very brief about Kerberos setup.
>
> For example in the Kerberos document there is a paragraph titled "Setup and
> configuration of Keycloak server" it seems seems to be an important part of
> the setup but this section is just a basic outline. Install a client,
> configure it, edit the krb5.conf to add your realm, export a keytab and
> secure the keytab file. Not details really.
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/authentication/kerberos.html
Thing is, that there are bunch of Kerberos vendors (MS Active Directory,
MIT Kerberos, ApacheDS...) and the details how to setup particular
Kerberos server and Kerberos client are platform dependent. Steps are
different according to what Kerberos vendor are you using, and what
platform your server and clients are. Steps to integrate your web
browser are also different for every browser.
Unfortunately we can't provide detailed instructions for every
combination. Hence in the documentation, we focus mostly on the steps,
which are specific to the Keycloak server side. This is configuration of
authentication flow and configuration of LDAP provider, where you need
to configure location of keytab file and the name of HTTP principal.
For the MSAD specific details, you can use articles on the internet,
which focus purely on MSAD and use MSAD specific steps to setup Kerberos
domain and clients. The one you pointed or for example this
https://www.ibm.com/support/knowledgecenter/SSB2MV_8.0.0/com.ibm.rational.buildforge.doc/topics/config_sec_sso_spnego.html
.
If you see that your browser doesn't respond to "WWW-Authenticate:
Negotiate", then the problem really seems to be either in the setup of
your client (krb5.conf) or browser. You can maybe try different
browsers. You can also try to temporarily disable firewall. Marko
pointed other things and reference to the example, which can possibly
give you some other hints.
More inline.
>
> In the "examples for Kerberos" step 4 is install the Kerberos client and
> step 5 is configure it. There are one or two sentences with information but
> not to much details on what they mean. There is supposed to be a
> test.krb5.conf file which should explain more but the link is broken.
> https://github.com/keycloak/keycloak/tree/3.0.0.Final/examples/kerberos
Thanks. I will fix it. The correct location is
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/resources/kerberos/test-krb5.conf
>
>
> I spent most of the day researching but I haven't found much information on
> how to setup Kerberos for Active Directory SSO. I don't have a lot of time
> to experiment so following a walkthrough on getting Kerberos setup so linux
> machines can join in a Active Directory domain might give me the info I
> need or I might lose 3-6 hours.
>
> One thing I'm not 100% is do I need to run a Kerberos client and server? In
> my environment we want users to login to their Windows workstations, open
> the browser and auto-login to our application with no login prompts. We use
> Active Directory as the User Federation source and OpenID client as our
> destination.
Kerberos server should be provided automatically by Windows Active
Directory domain. Details about it are Microsoft documentation and bunch
of other sources online.
Marek
>
>
> I've been putting a ton of hours in to the this project and I really
> appreciate the help. :)
>
> -Dustin
>
> ᐧ
>
> On Fri, Apr 14, 2017 at 5:30 AM, Marko Strukelj <mstrukel at redhat.com> wrote:
>
>> One source of information you did not mention and might help you is
>> Keycloak documentation:
>>
>> https://keycloak.gitbooks.io/server-adminstration-guide/
>> content/topics/user-federation/ldap.html
>> https://keycloak.gitbooks.io/server-adminstration-guide/
>> content/topics/authentication/kerberos.html
>>
>>
>> There is also an example for Kerberos: https://github.com/
>> keycloak/keycloak/tree/3.0.0.Final/examples/kerberos
>>
>> And you may also want to check out our blog at http://blog.keycloak.org/
>> for articles on MSAD integration.
>>
>>
>> On Fri, Apr 14, 2017 at 1:19 AM, Consolodated Emails <unimail at edgestep.com
>>> wrote:
>>> Hi all,
>>>
>>> I have a big project due by end of the week and the last item I have to
>>> deliver is Single Sign On for Active Directory users using IE,Firefox &
>>> Chrome. I am able to login to my application if i use the Keycloak login
>>> form but I can't get it to auto login. If I set Kerberos to Required under
>>> Authentication, I get an error saying Kerberos is not setup. You cannot
>>> login.
>>>
>>> Currently I'm investigating these as possible causes:
>>> my browser doesn't seem to be passing Kerberos to Keycloak. I'm using
>>> Fiddler to check headers but I can't get a clear understanding of what I
>>> should look for. The best I can tell WWW-Authenticate Negotiate being sent
>>> to me in the 401 response. I guess my browser isn't sending the Kerberos
>>> credentials.
>>>
>>> I'm using a NGINX proxy in front of my application. I've found some
>>> evidence of people updating configuration files in order to make this work
>>> properly. But I'm not sure this applies to me, since my proxy doesn't sit
>>> in front of the keycloak server.
>>> https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile/
>>> /jboss/keycloak/standalone/configuration/standalone.xml
>>> <https://hub.docker.com/r/computersciencehouse/keycloak/~/dockerfile//jboss/keycloak/standalone/configuration/standalone.xml>
>>>
>>> I don't think Kerberos is setup up properly under User Federation/Active
>>> Directory (my LDAP's Config name).
>>> II pieced together some information from Matt's article on using Keycloak
>>> to authenticate with AD. He didn't go in to any detail about Kerberos
>>> configuration for Active Directory. One line "Configure the Kerberos
>>> integration like this:" and a screenshot is all I had to work with. After
>>> doing some reading I'm left to think there is an important step that is
>>> left out of all the articles, forum posts, user manual, etc. From what I
>>> can tell I have to run a command in the container to create a Keytab and
>>> it
>>> has to have the proper permissions for Keycloak to access it. I also think
>>> I have to setup /etc/kerb5.conf but I'm not sure what I need to do
>>> exactly.
>>> I can't find an article directly discussing Keycloak.
>>>
>>> http://matthewcasperson.blogspot.com/2015/07/authenticating-
>>> via-kerberos-with.html
>>>
>>> My Env:
>>> Windows Server 2012 R2
>>> AWS Ec2
>>> Active Directory
>>> Pseudo workstation (I'm logging on as a non-domain admin for testing).
>>>
>>> Keycloak
>>> AWS Ec2
>>> Docker - Jboss/Keycloak:latest
>>> Ubuntu 16:04 Host:
>>> Container is Redhat based (obviously it's jboss).
>>>
>>> Ruby on Rails 1.8.7 application
>>> AWS Ec2
>>> Nginx Proxy in front of it.
>>> OpenID client connected to KeyCloak
>>>
>>>
>>> Under User Federation:
>>> I've created an Active Directory Provider, it's able to sync users from my
>>> test Active Directory.
>>>
>>> Authentication:
>>> Kereberos
>>>
>>> Any help would be really appreciated.. I'm in a real tough spot on this
>>> project.
>>>
>>> -Dustin
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list