[keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
Hendrik Dev
hendrikdev22 at gmail.com
Mon Apr 24 12:55:33 EDT 2017
Hi,
I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
Purpose is to provide single sign on for users logging in via IE from
a windows domain.
Keycloak itself is running on centOS, Kerberos server is Active
Directory. The setup is working so far because i can login via 'curl
--negotiate'. There are also several other java applications running
in this environment which are capable of doing SPNEGO over Kerberos
authentication successfully.
If the user access a Keycloak protected application the SPNEGO login
does not work and the Keycloak login page is displayed instead.
In the logs i see "Defective token detected (Mechanism level:
GSSHeader did not find the right tag)" and thats totally right because
the browser sends
'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
For me it looks like the browser never gets either a
'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
In other words: The browser seems to never gets challenged to do
SPNEGO over Kerberos.
I already tried to fix it
(https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad2ae25ce0d9cd703)
but this oddly just ends up in a Basic Auth popup from the browser.
For the client app the standard flow as well as direct access grants
is enabled.
Keycloak is deployed as HA with 3 nodes and runs behind a HW
loadbalancer and Kerberos is setup within the LDAP Federation ()
Any ideas?
Thanks
Hendrik
--
Hendrik Saly (salyh, hendrikdev22)
@hendrikdev22
PGP: 0x22D7F6EC
More information about the keycloak-user
mailing list