[keycloak-user] Kerberos Authentication throws Exception

Malte Finsterwalder inofi at gmx.net
Thu Jul 6 13:26:09 EDT 2017


I tweaked my config a bit and fixed an error there. It still doesn't work
correctly, but now I get an ICMP Error, after the SPNEGO Failure and a try
to login with username and password;

17:23:54,184 INFO  [stdout] (default task-21) [Krb5LoginModule]
authentication failed
17:23:54,184 INFO  [stdout] (default task-21) ICMP Port Unreachable
17:23:54,185 WARN  [org.keycloak.services] (default task-21)
KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException:
Kerberos unreachable
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable(KerberosUsernamePasswordAuthenticator.java:108)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:94)
at
org.keycloak.storage.ldap.LDAPStorageProvider.validPassword(LDAPStorageProvider.java:512)
at
org.keycloak.storage.ldap.LDAPStorageProvider.isValid(LDAPStorageProvider.java:602)
at
org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:140)
at
org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:121)
at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:175)
at
org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:151)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56)
at
org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76)
at
org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759)
at
org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365)
at
org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:347)
at
org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:401)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.security.auth.login.LoginException: ICMP Port Unreachable
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.authenticateSubject(KerberosUsernamePasswordAuthenticator.java:128)
at
org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:90)
... 61 more
Caused by: java.net.PortUnreachableException: ICMP Port Unreachable
at java.net.PlainDatagramSocketImpl.receive0(Native Method)
at
java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:143)
at java.net.DatagramSocket.receive(DatagramSocket.java:812)
at sun.security.krb5.internal.UDPClient.receive(NetClient.java:206)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:411)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KdcComm.send(KdcComm.java:348)
at sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253)
at sun.security.krb5.KdcComm.send(KdcComm.java:229)
at sun.security.krb5.KdcComm.send(KdcComm.java:200)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
... 75 more


On 6 July 2017 at 17:21, Malte Finsterwalder <inofi at gmx.net> wrote:

> Hi there,
>
> I tried to configure Keycloak to authenticate against Windows Active
> Directory using Kerberos credentials.
> But I keep getting an Exception.
>
> Setup is as follows:
>
> I created a docker image based on jboss/keycloak-ha-postgres:2.5.5.Final.
> In addition I installed freeipa-client and added a /etc/krb5.conf file as
> well as my keytab file.
>
> But when I configure Kerberos as required in the browser flow, I get the
> following Exception and the browser shows me a basic auth login dialog,
> that does not allow me to log in at all.
>
> Any ideas? How can gather more information?
>
> 13:26:25,796 INFO  [stdout] (default task-64) Debug is  true storeKey true
> useTicketCache false useKeyTab true doNotPrompt true ticketCache is null
> isInitiator false KeyTab is /keytabs/SVC_KEYCLOAK_CI20_HTTP_IDP-UI.keytab
> refreshKrb5Config is false principal is HTTP/SVC_KEYCLOAK_CI20.HH.HANS
> EMERKUR.DE at HH.HANSEMERKUR.DE tryFirstPass is false useFirstPass is false
> storePass is false clearPass is false
> 13:26:25,796 INFO  [stdout] (default task-64) principal is
> HTTP/SVC_KEYCLOAK_CI20.HH.HANSEMERKUR.DE at HH.HANSEMERKUR.DE
> 13:26:25,796 INFO  [stdout] (default task-64) Will use keytab
> 13:26:25,796 INFO  [stdout] (default task-64) Commit Succeeded
> 13:26:25,796 INFO  [stdout] (default task-64)
>
> 13:19:24,501 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
> (default task-47) SPNEGO login failed: java.security.PrivilegedActionException:
> GSSException: Defective token detected (Mechanism level: GSSHeader did not
> find the right tag)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.au
> thenticate(SPNEGOAuthenticator.java:68)
> at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(L
> DAPStorageProvider.java:542)
> at org.keycloak.credential.UserCredentialStoreManager.authentic
> ate(UserCredentialStoreManager.java:323)
> at org.keycloak.authentication.authenticators.browser.SpnegoAut
> henticator.authenticate(SpnegoAuthenticator.java:90)
> at org.keycloak.authentication.DefaultAuthenticationFlow.proces
> sFlow(DefaultAuthenticationFlow.java:184)
> at org.keycloak.authentication.AuthenticationProcessor.authenti
> cateOnly(AuthenticationProcessor.java:792)
> at org.keycloak.authentication.AuthenticationProcessor.authenti
> cate(AuthenticationProcessor.java:667)
> at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowse
> rAuthenticationRequest(AuthorizationEndpointBase.java:123)
> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.b
> uildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.
> build(AuthorizationEndpoint.java:125)
> at sun.reflect.GeneratedMethodAccessor615.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
> thodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
> ctorImpl.java:139)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
> (ResourceMethodInvoker.java:295)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
> eMethodInvoker.java:249)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> tObject(ResourceLocatorInvoker.java:138)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> ceLocatorInvoker.java:107)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> tObject(ResourceLocatorInvoker.java:133)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> ceLocatorInvoker.java:101)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> nousDispatcher.java:395)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> nousDispatcher.java:202)
> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
> spatcher.service(ServletContainerDispatcher.java:221)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> her.service(HttpServletDispatcher.java:56)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
> her.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
> rvletHandler.java:85)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> oFilter(FilterHandler.java:129)
> at org.keycloak.services.filters.KeycloakSessionServletFilter.d
> oFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
> oFilter(FilterHandler.java:131)
> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
> terHandler.java:84)
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
> dler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
> eRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow.security.SecurityContextAssoc
> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.servlet.handlers.security.SSLInformationAssociat
> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at io.undertow.servlet.handlers.security.ServletAuthenticationC
> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentiality
> ConstraintHandler.handleRequest(ServletConfident
> ialityConstraintHandler.java:64)
> at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.ha
> ndleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssociation
> Handler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
> ndler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
> redicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
> stRequest(ServletInitialHandler.java:284)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
> equest(ServletInitialHandler.java:263)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
> 0(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
> equest(ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
> ge.java:793)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
> Executor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
> lExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: GSSException: Defective token detected (Mechanism level:
> GSSHeader did not find the right tag)
> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
> Impl.java:306)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
> Impl.java:285)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.es
> tablishContext(SPNEGOAuthenticator.java:172)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac
> ceptSecContext.run(SPNEGOAuthenticator.java:135)
> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac
> ceptSecContext.run(SPNEGOAuthenticator.java:125)
> ... 60 more
>
> 13:26:25,798 INFO  [stdout] (default task-64)         [Krb5LoginModule]:
> Entering logout
> 13:26:25,798 INFO  [stdout] (default task-64)         [Krb5LoginModule]:
> logged out Subject
>
>


More information about the keycloak-user mailing list