[keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0

Marek Posolda mposolda at redhat.com
Tue Apr 25 06:56:42 EDT 2017


On 24/04/17 18:55, Hendrik Dev wrote:
> Hi,
>
> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
> Purpose is to provide single sign on for users logging in via IE from
> a windows domain.
> Keycloak itself is running on centOS, Kerberos server is Active
> Directory. The setup is working so far because i can login via 'curl
> --negotiate'. There are also several other java applications running
> in this environment which are capable of doing SPNEGO over Kerberos
> authentication successfully.
>
> If the user access a Keycloak protected application the SPNEGO login
> does not work and the Keycloak login page is displayed instead.
> In the logs i see "Defective token detected (Mechanism level:
> GSSHeader did not find the right tag)" and thats totally right because
> the browser sends
> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>
> For me it looks like the browser never gets either a
> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
> In other words: The browser seems to never gets challenged to do
> SPNEGO over Kerberos.
I will try to summarize if I understand correctly:
1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
2) Your browser replied with the SPNEGO-NTLM token like "Authorization: 
Negotiate ntlm-token-is-here"
3) Keycloak replied with "WWW-Authenticate: Negotiate 
spnego-token-asking-to-send-kerberos-instead-of-ntlm"
4) Your browser didn't reply anything back

Is it correct?

It seems that your browser doesn't have kerberos ticket, hence that's 
why it uses NTLM instead. I think the best would be to fix your 
environment, so that it will send Kerberos token instead of NTLM at the 
step 2.

Marek
>
> I already tried to fix it
> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad2ae25ce0d9cd703)
> but this oddly just ends up in a Basic Auth popup from the browser.
> For the client app the standard flow as well as direct access grants
> is enabled.
>
> Keycloak is deployed as HA with 3 nodes and runs behind a HW
> loadbalancer and Kerberos is setup within the LDAP Federation ()
>
> Any ideas?
>
> Thanks
> Hendrik
>



More information about the keycloak-user mailing list