[keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0

Marek Posolda mposolda at redhat.com
Wed May 3 02:54:12 EDT 2017 

Sorry, I don't have much to add :( It seems you would need to fix your 
environment and windows domain configuration to use Kerberos/SPNEGO 
tokens instead of NTLM. Few posts with possible tips&tricks I found 
during quick googling:
http://jasig.275507.n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-td1598650.html
http://stackoverflow.com/questions/17340564/why-does-ie-not-send-the-kerberos-ticket-information-to-my-jboss-on-linux
https://archive.sap.com/discussions/thread/998107

Marek

On 02/05/17 17:04, Hendrik Dev wrote:
> bump
>
> On Thu, Apr 27, 2017 at 12:35 PM, Hendrik Dev <hendrikdev22 at gmail.com> wrote:
>> On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda at redhat.com> wrote:
>>> On 24/04/17 18:55, Hendrik Dev wrote:
>>>> Hi,
>>>>
>>>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>>>> Purpose is to provide single sign on for users logging in via IE from
>>>> a windows domain.
>>>> Keycloak itself is running on centOS, Kerberos server is Active
>>>> Directory. The setup is working so far because i can login via 'curl
>>>> --negotiate'. There are also several other java applications running
>>>> in this environment which are capable of doing SPNEGO over Kerberos
>>>> authentication successfully.
>>>>
>>>> If the user access a Keycloak protected application the SPNEGO login
>>>> does not work and the Keycloak login page is displayed instead.
>>>> In the logs i see "Defective token detected (Mechanism level:
>>>> GSSHeader did not find the right tag)" and thats totally right because
>>>> the browser sends
>>>> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>>>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>>>
>>>> For me it looks like the browser never gets either a
>>>> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
>>>> In other words: The browser seems to never gets challenged to do
>>>> SPNEGO over Kerberos.
>>> I will try to summarize if I understand correctly:
>>> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
>>> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
>>> Negotiate ntlm-token-is-here"
>>> 3) Keycloak replied with "WWW-Authenticate: Negotiate
>>> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
>>> 4) Your browser didn't reply anything back
>>>
>>> Is it correct?
>> Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from keycloak.
>> As i said, the browser does not get a challenge.
>>
>>
>>
>>> It seems that your browser doesn't have kerberos ticket, hence that's why it
>>> uses NTLM instead. I think the best would be to fix your environment, so
>>> that it will send Kerberos token instead of NTLM at the step 2.
>>>
>>> Marek
>>>
>>>> I already tried to fix it
>>>>
>>>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad2ae25ce0d9cd703)
>>>> but this oddly just ends up in a Basic Auth popup from the browser.
>>>> For the client app the standard flow as well as direct access grants
>>>> is enabled.
>>>>
>>>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>>>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>>>
>>>> Any ideas?
>>>>
>>>> Thanks
>>>> Hendrik
>>>>
>>
>>
>> --
>> Hendrik Saly (salyh, hendrikdev22)
>> @hendrikdev22
>> PGP: 0x22D7F6EC
>
>

More information about the keycloak-user mailing list