[keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0

Adam Keily adam.keily at adelaide.edu.au
Wed May 3 23:30:43 EDT 2017


Downgrading is not an option as RHSSO 7.1 supports only openjdk 1.8.

After updating to latest 1.8 via RHEL repo and restarting keycloak it appears working. What version of JDK are you using?

-----Original Message-----
From: Adam Keily
Sent: Thursday, 4 May 2017 9:01 AM
To: 'Marek Posolda' <mposolda at redhat.com>
Subject: RE: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0

We were getting the same issue with RHSSO 7.1 (Keycloak 2.5.5.) on RHEL7. I believe it's related to this bug in JDK 1.8. https://bugs.openjdk.java.net/browse/JDK-8078439

For us, downgrading to JDK 1.7 fixed the issue. As long as you use v 1.8.0_31 or earlier I think you'll be ok.

Adam

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
Sent: Wednesday, 3 May 2017 4:24 PM
To: Hendrik Dev <hendrikdev22 at gmail.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0

Sorry, I don't have much to add :( It seems you would need to fix your environment and windows domain configuration to use Kerberos/SPNEGO tokens instead of NTLM. Few posts with possible tips&tricks I found during quick googling:
http://jasig.275507.n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-td1598650.html
http://stackoverflow.com/questions/17340564/why-does-ie-not-send-the-kerberos-ticket-information-to-my-jboss-on-linux
https://archive.sap.com/discussions/thread/998107

Marek

On 02/05/17 17:04, Hendrik Dev wrote:
> bump
>
> On Thu, Apr 27, 2017 at 12:35 PM, Hendrik Dev <hendrikdev22 at gmail.com> wrote:
>> On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda at redhat.com> wrote:
>>> On 24/04/17 18:55, Hendrik Dev wrote:
>>>> Hi,
>>>>
>>>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>>>> Purpose is to provide single sign on for users logging in via IE
>>>> from a windows domain.
>>>> Keycloak itself is running on centOS, Kerberos server is Active
>>>> Directory. The setup is working so far because i can login via
>>>> 'curl --negotiate'. There are also several other java applications
>>>> running in this environment which are capable of doing SPNEGO over
>>>> Kerberos authentication successfully.
>>>>
>>>> If the user access a Keycloak protected application the SPNEGO
>>>> login does not work and the Keycloak login page is displayed instead.
>>>> In the logs i see "Defective token detected (Mechanism level:
>>>> GSSHeader did not find the right tag)" and thats totally right
>>>> because the browser sends
>>>> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>>>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>>>
>>>> For me it looks like the browser never gets either a
>>>> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
>>>> In other words: The browser seems to never gets challenged to do
>>>> SPNEGO over Kerberos.
>>> I will try to summarize if I understand correctly:
>>> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
>>> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
>>> Negotiate ntlm-token-is-here"
>>> 3) Keycloak replied with "WWW-Authenticate: Negotiate
>>> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
>>> 4) Your browser didn't reply anything back
>>>
>>> Is it correct?
>> Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from keycloak.
>> As i said, the browser does not get a challenge.
>>
>>
>>
>>> It seems that your browser doesn't have kerberos ticket, hence
>>> that's why it uses NTLM instead. I think the best would be to fix
>>> your environment, so that it will send Kerberos token instead of NTLM at the step 2.
>>>
>>> Marek
>>>
>>>> I already tried to fix it
>>>>
>>>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad
>>>> 2ae25ce0d9cd703) but this oddly just ends up in a Basic Auth popup
>>>> from the browser.
>>>> For the client app the standard flow as well as direct access
>>>> grants is enabled.
>>>>
>>>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>>>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>>>
>>>> Any ideas?
>>>>
>>>> Thanks
>>>> Hendrik
>>>>
>>
>>
>> --
>> Hendrik Saly (salyh, hendrikdev22)
>> @hendrikdev22
>> PGP: 0x22D7F6EC
>
>

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



More information about the keycloak-user mailing list