[keycloak-user] Exception in Kerberos Credential Delegation example

Marek Posolda mposolda at redhat.com
Wed Jun 7 16:12:50 EDT 2017 

You can try to enable some additional logging as mentioned in the 
"troubleshooting" section of the Kerberos docs.

One thing, which looks a bit strange to me, is the name of HTTP 
principal with the IP address in it. Does it work with same principal 
for your N1 and N2 machines? I would try to use the name instead of IP 
address instead. But not 100% sure the issue is really this...

Marek

On 07/06/17 13:37, Nirmal Kumar wrote:
> Hi Keycloak,
>
> I setup the keycloak-demo-3.0.0 standalone server with the Kerberos example(kerberos-portal.war) on an *Ubuntu machine(N1)*.
> Next on another *Ubuntu machine(N2)* I setup the Kerberos client (did a kinit) and did the required config changes in Firefox and is able to access the url : http://N1:8080/kerberos-portal/  and the login page is bypassed as expected.
>
> However, when using another *Windows 8.1 machine (N3)* where I have setup the MIT Kerberos Client (did a kinit) + required config changes in Firefox, I am getting the Login page.
> The browser though gets the challenge response header WWW-Authenticate: Negotiate and then the again sends the Authorization: Negotiate YII but somehow I end up with the Login page and see the below error on the Wildfly logs.
>
> 2017-06-07 10:46:04,332 INFO  [stdout] (default task-42) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/impetus/nirmal/http.keytab_71 refreshKrb5Config is false principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> 2017-06-07 10:46:04,334 INFO  [stdout] (default task-42) principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN
> 2017-06-07 10:46:04,334 INFO  [stdout] (default task-42) Will use keytab
> 2017-06-07 10:46:04,335 INFO  [stdout] (default task-42) Commit Succeeded
> 2017-06-07 10:46:04,335 INFO  [stdout] (default task-42)
> *2017-06-07 10:46:04,337 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-42) GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration*
> 2017-06-07 10:46:04,337 INFO  [stdout] (default task-42)                [Krb5LoginModule]: Entering logout
> 2017-06-07 10:46:04,338 INFO  [stdout] (default task-42)                [Krb5LoginModule]: logged out Subject
>
> I troubles hooted for quite a long time but cannot understand where the problem is.
> Can you please give me some pointers to look for?
>
> Thanks,
> -Nirmal
>
>
> ________________________________
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list