[keycloak-user] Kerberos Authentication throws Exception

Marek Posolda mposolda at redhat.com
Wed Jul 12 02:51:18 EDT 2017


Do you have "/etc/krb5.conf" file on the server where your Keycloak is 
deployed? In this file you need to have configuration of kerberos realm 
corresponding to the kerberos realm you used in the Keycloak LDAP 
storage provider configuration. The host/port of kdc needs to be 
accessible through network. The configuration of kdc in the 
/etc/krb5.conf file can look like this for example:

         KEYCLOAK.ORG={
                 kdc = localhost:6088
         }


Marek

On 06/07/17 19:26, Malte Finsterwalder wrote:
> I tweaked my config a bit and fixed an error there. It still doesn't work
> correctly, but now I get an ICMP Error, after the SPNEGO Failure and a try
> to login with username and password;
>
> 17:23:54,184 INFO  [stdout] (default task-21) [Krb5LoginModule]
> authentication failed
> 17:23:54,184 INFO  [stdout] (default task-21) ICMP Port Unreachable
> 17:23:54,185 WARN  [org.keycloak.services] (default task-21)
> KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelException:
> Kerberos unreachable
> at
> org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.checkKerberosServerAvailable(KerberosUsernamePasswordAuthenticator.java:108)
> at
> org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:94)
> at
> org.keycloak.storage.ldap.LDAPStorageProvider.validPassword(LDAPStorageProvider.java:512)
> at
> org.keycloak.storage.ldap.LDAPStorageProvider.isValid(LDAPStorageProvider.java:602)
> at
> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:140)
> at
> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:121)
> at
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:175)
> at
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:151)
> at
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56)
> at
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49)
> at
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92)
> at
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:76)
> at
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:759)
> at
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:365)
> at
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:347)
> at
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:401)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
> at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
> at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.security.auth.login.LoginException: ICMP Port Unreachable
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
> at
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> at
> org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.authenticateSubject(KerberosUsernamePasswordAuthenticator.java:128)
> at
> org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.validUser(KerberosUsernamePasswordAuthenticator.java:90)
> ... 61 more
> Caused by: java.net.PortUnreachableException: ICMP Port Unreachable
> at java.net.PlainDatagramSocketImpl.receive0(Native Method)
> at
> java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:143)
> at java.net.DatagramSocket.receive(DatagramSocket.java:812)
> at sun.security.krb5.internal.UDPClient.receive(NetClient.java:206)
> at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:411)
> at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.krb5.KdcComm.send(KdcComm.java:348)
> at sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253)
> at sun.security.krb5.KdcComm.send(KdcComm.java:229)
> at sun.security.krb5.KdcComm.send(KdcComm.java:200)
> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:766)
> ... 75 more
>
>
> On 6 July 2017 at 17:21, Malte Finsterwalder <inofi at gmx.net> wrote:
>
>> Hi there,
>>
>> I tried to configure Keycloak to authenticate against Windows Active
>> Directory using Kerberos credentials.
>> But I keep getting an Exception.
>>
>> Setup is as follows:
>>
>> I created a docker image based on jboss/keycloak-ha-postgres:2.5.5.Final.
>> In addition I installed freeipa-client and added a /etc/krb5.conf file as
>> well as my keytab file.
>>
>> But when I configure Kerberos as required in the browser flow, I get the
>> following Exception and the browser shows me a basic auth login dialog,
>> that does not allow me to log in at all.
>>
>> Any ideas? How can gather more information?
>>
>> 13:26:25,796 INFO  [stdout] (default task-64) Debug is  true storeKey true
>> useTicketCache false useKeyTab true doNotPrompt true ticketCache is null
>> isInitiator false KeyTab is /keytabs/SVC_KEYCLOAK_CI20_HTTP_IDP-UI.keytab
>> refreshKrb5Config is false principal is HTTP/SVC_KEYCLOAK_CI20.HH.HANS
>> EMERKUR.DE at HH.HANSEMERKUR.DE tryFirstPass is false useFirstPass is false
>> storePass is false clearPass is false
>> 13:26:25,796 INFO  [stdout] (default task-64) principal is
>> HTTP/SVC_KEYCLOAK_CI20.HH.HANSEMERKUR.DE at HH.HANSEMERKUR.DE
>> 13:26:25,796 INFO  [stdout] (default task-64) Will use keytab
>> 13:26:25,796 INFO  [stdout] (default task-64) Commit Succeeded
>> 13:26:25,796 INFO  [stdout] (default task-64)
>>
>> 13:19:24,501 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
>> (default task-47) SPNEGO login failed: java.security.PrivilegedActionException:
>> GSSException: Defective token detected (Mechanism level: GSSHeader did not
>> find the right tag)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.Subject.doAs(Subject.java:422)
>> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.au
>> thenticate(SPNEGOAuthenticator.java:68)
>> at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(L
>> DAPStorageProvider.java:542)
>> at org.keycloak.credential.UserCredentialStoreManager.authentic
>> ate(UserCredentialStoreManager.java:323)
>> at org.keycloak.authentication.authenticators.browser.SpnegoAut
>> henticator.authenticate(SpnegoAuthenticator.java:90)
>> at org.keycloak.authentication.DefaultAuthenticationFlow.proces
>> sFlow(DefaultAuthenticationFlow.java:184)
>> at org.keycloak.authentication.AuthenticationProcessor.authenti
>> cateOnly(AuthenticationProcessor.java:792)
>> at org.keycloak.authentication.AuthenticationProcessor.authenti
>> cate(AuthenticationProcessor.java:667)
>> at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowse
>> rAuthenticationRequest(AuthorizationEndpointBase.java:123)
>> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.b
>> uildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
>> at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.
>> build(AuthorizationEndpoint.java:125)
>> at sun.reflect.GeneratedMethodAccessor615.invoke(Unknown Source)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:498)
>> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
>> ctorImpl.java:139)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>> (ResourceMethodInvoker.java:295)
>> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
>> eMethodInvoker.java:249)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:138)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:101)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:395)
>> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:202)
>> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDi
>> spatcher.service(ServletContainerDispatcher.java:221)
>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:56)
>> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatc
>> her.service(HttpServletDispatcher.java:51)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> at io.undertow.servlet.handlers.ServletHandler.handleRequest(Se
>> rvletHandler.java:85)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:129)
>> at org.keycloak.services.filters.KeycloakSessionServletFilter.d
>> oFilter(KeycloakSessionServletFilter.java:90)
>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.d
>> oFilter(FilterHandler.java:131)
>> at io.undertow.servlet.handlers.FilterHandler.handleRequest(Fil
>> terHandler.java:84)
>> at io.undertow.servlet.handlers.security.ServletSecurityRoleHan
>> dler.handleRequest(ServletSecurityRoleHandler.java:62)
>> at io.undertow.servlet.handlers.ServletDispatchingHandler.handl
>> eRequest(ServletDispatchingHandler.java:36)
>> at org.wildfly.extension.undertow.security.SecurityContextAssoc
>> iationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.servlet.handlers.security.SSLInformationAssociat
>> ionHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> at io.undertow.servlet.handlers.security.ServletAuthenticationC
>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>> at io.undertow.servlet.handlers.security.ServletConfidentiality
>> ConstraintHandler.handleRequest(ServletConfident
>> ialityConstraintHandler.java:64)
>> at io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>> at io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> at io.undertow.security.handlers.NotificationReceiverHandler.ha
>> ndleRequest(NotificationReceiverHandler.java:50)
>> at io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>> Handler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>> ndler.handleRequest(JACCContextIdHandler.java:61)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>> at io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>> stRequest(ServletInitialHandler.java:284)
>> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>> equest(ServletInitialHandler.java:263)
>> at io.undertow.servlet.handlers.ServletInitialHandler.access$00
>> 0(ServletInitialHandler.java:81)
>> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>> equest(ServletInitialHandler.java:174)
>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchan
>> ge.java:793)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at java.lang.Thread.run(Thread.java:745)
>> Caused by: GSSException: Defective token detected (Mechanism level:
>> GSSHeader did not find the right tag)
>> at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
>> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
>> Impl.java:306)
>> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
>> Impl.java:285)
>> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.es
>> tablishContext(SPNEGOAuthenticator.java:172)
>> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac
>> ceptSecContext.run(SPNEGOAuthenticator.java:135)
>> at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$Ac
>> ceptSecContext.run(SPNEGOAuthenticator.java:125)
>> ... 60 more
>>
>> 13:26:25,798 INFO  [stdout] (default task-64)         [Krb5LoginModule]:
>> Entering logout
>> 13:26:25,798 INFO  [stdout] (default task-64)         [Krb5LoginModule]:
>> logged out Subject
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list