[keycloak-user] Kerberos auth type displays basic auth prompt under Windows

Marek Posolda mposolda at redhat.com
Wed Jul 19 04:20:50 EDT 2017


On 18/07/17 22:07, Steven Mirabito wrote:
> Hey,
>
> I have Keycloak configured to check passwords against an MIT Kerberos
> server in my user federation source, and that works fine. I then set the
> Kerberos authentication type to "alternative" - most of our users will be
> coming in from personal devices where they'll just log in via the form, but
> we do have a shared machine where this would be nice to have. However, I
> started receiving complaints that when this option is enabled, any browser
> under Windows will show a basic auth dialog which the user has to cancel
> out of to reach the login page (other platforms show a blank "Kerberos
> Unsupported" page and then redirect to the normal login page without a
> dialog). To make matters worse, I can't seem to turn the option off now -
> switching the Kerberos auth type to "disabled" will work for a little bit,
> but after a short period of time it will turn itself back on and users will
> start to see the basic auth dialog again.
>
> Are these known issues? Ideally, I'd like to be able to have the Kerberos
> auth type enabled, but a solution to keep it disabled in the meantime would
> be greatly appreciated as well.
For the first question, I don't know how to disable the basic auth 
prompt TBH. I didn't tested on Windows. Are all the browsers like IE, 
Firefox, Chrome behave like this or just IE?

Maybe there is some switch in Windows domain or in browser to disable 
those prompts. Checked some sites, but not sure what is relevant: 
https://www.lansweeper.com/kb/141/enabling-or-disabling-login-prompts.html 
. Other option is to change authentication flow and replace 
SpnegoAuthenticator with custom one, which will return header 400 
instead of 401 . See this 
https://stackoverflow.com/questions/9859627/how-to-prevent-browser-to-invoke-basic-auth-popup-and-handle-401-error-using-jqu 
. However not sure if automatic kerberos/spnego authentication will 
still work in case that user has kerberos ticket, I guess likely not :/

For the second question, Kerberos authenticator is switched to 
ALTERNATIVE when you create or edit Kerberos federation provider or LDAP 
provider with Kerberos switched ON. So if you disable Kerberos on your 
LDAP storage provider or remove Kerberos provider, it won't change from 
DISABLED to ALTERNATIVE anymore.

Marek

>
> Thank you!
> -Steven
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list