[keycloak-user] Exception in Kerberos Credential Delegation example
Nirmal Kumar
nirmal.kumar at impetus.co.in
Wed Jun 7 07:37:15 EDT 2017
Hi Keycloak,
I setup the keycloak-demo-3.0.0 standalone server with the Kerberos example(kerberos-portal.war) on an *Ubuntu machine(N1)*.
Next on another *Ubuntu machine(N2)* I setup the Kerberos client (did a kinit) and did the required config changes in Firefox and is able to access the url : http://N1:8080/kerberos-portal/ and the login page is bypassed as expected.
However, when using another *Windows 8.1 machine (N3)* where I have setup the MIT Kerberos Client (did a kinit) + required config changes in Firefox, I am getting the Login page.
The browser though gets the challenge response header WWW-Authenticate: Negotiate and then the again sends the Authorization: Negotiate YII but somehow I end up with the Login page and see the below error on the Wildfly logs.
2017-06-07 10:46:04,332 INFO [stdout] (default task-42) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/impetus/nirmal/http.keytab_71 refreshKrb5Config is false principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2017-06-07 10:46:04,334 INFO [stdout] (default task-42) principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN
2017-06-07 10:46:04,334 INFO [stdout] (default task-42) Will use keytab
2017-06-07 10:46:04,335 INFO [stdout] (default task-42) Commit Succeeded
2017-06-07 10:46:04,335 INFO [stdout] (default task-42)
*2017-06-07 10:46:04,337 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-42) GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration*
2017-06-07 10:46:04,337 INFO [stdout] (default task-42) [Krb5LoginModule]: Entering logout
2017-06-07 10:46:04,338 INFO [stdout] (default task-42) [Krb5LoginModule]: logged out Subject
I troubles hooted for quite a long time but cannot understand where the problem is.
Can you please give me some pointers to look for?
Thanks,
-Nirmal
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
More information about the keycloak-user
mailing list