[keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0

Hendrik Dev hendrikdev22 at gmail.com
Thu Apr 27 06:35:47 EDT 2017


On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda at redhat.com> wrote:
> On 24/04/17 18:55, Hendrik Dev wrote:
>>
>> Hi,
>>
>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>> Purpose is to provide single sign on for users logging in via IE from
>> a windows domain.
>> Keycloak itself is running on centOS, Kerberos server is Active
>> Directory. The setup is working so far because i can login via 'curl
>> --negotiate'. There are also several other java applications running
>> in this environment which are capable of doing SPNEGO over Kerberos
>> authentication successfully.
>>
>> If the user access a Keycloak protected application the SPNEGO login
>> does not work and the Keycloak login page is displayed instead.
>> In the logs i see "Defective token detected (Mechanism level:
>> GSSHeader did not find the right tag)" and thats totally right because
>> the browser sends
>> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>
>> For me it looks like the browser never gets either a
>> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
>> In other words: The browser seems to never gets challenged to do
>> SPNEGO over Kerberos.
>
> I will try to summarize if I understand correctly:
> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
> Negotiate ntlm-token-is-here"
> 3) Keycloak replied with "WWW-Authenticate: Negotiate
> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
> 4) Your browser didn't reply anything back
>
> Is it correct?

Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from keycloak.
As i said, the browser does not get a challenge.



>
> It seems that your browser doesn't have kerberos ticket, hence that's why it
> uses NTLM instead. I think the best would be to fix your environment, so
> that it will send Kerberos token instead of NTLM at the step 2.
>
> Marek
>
>>
>> I already tried to fix it
>>
>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad2ae25ce0d9cd703)
>> but this oddly just ends up in a Basic Auth popup from the browser.
>> For the client app the standard flow as well as direct access grants
>> is enabled.
>>
>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>
>> Any ideas?
>>
>> Thanks
>> Hendrik
>>
>



-- 
Hendrik Saly (salyh, hendrikdev22)
@hendrikdev22
PGP: 0x22D7F6EC


More information about the keycloak-user mailing list