[keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0

Hendrik Dev hendrikdev22 at gmail.com
Thu May 4 06:38:03 EDT 2017


Hi Adam,

i tried 1.8.0_31 but it does not work. Currently we use
java-1.8.0-openjdk-1.8.0.131-2.b11.el7_3.x86_64

Here are screenshots of the request flow (reg1.uat.xxx ist the secured
application):







On Thu, May 4, 2017 at 5:30 AM, Adam Keily <adam.keily at adelaide.edu.au> wrote:
> Downgrading is not an option as RHSSO 7.1 supports only openjdk 1.8.
>
> After updating to latest 1.8 via RHEL repo and restarting keycloak it appears working. What version of JDK are you using?
>
> -----Original Message-----
> From: Adam Keily
> Sent: Thursday, 4 May 2017 9:01 AM
> To: 'Marek Posolda' <mposolda at redhat.com>
> Subject: RE: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
>
> We were getting the same issue with RHSSO 7.1 (Keycloak 2.5.5.) on RHEL7. I believe it's related to this bug in JDK 1.8. https://bugs.openjdk.java.net/browse/JDK-8078439
>
> For us, downgrading to JDK 1.7 fixed the issue. As long as you use v 1.8.0_31 or earlier I think you'll be ok.
>
> Adam
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Marek Posolda
> Sent: Wednesday, 3 May 2017 4:24 PM
> To: Hendrik Dev <hendrikdev22 at gmail.com>
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Kerberos/SPNEGO Problem with Keycloak 3.0.0
>
> Sorry, I don't have much to add :( It seems you would need to fix your environment and windows domain configuration to use Kerberos/SPNEGO tokens instead of NTLM. Few posts with possible tips&tricks I found during quick googling:
> http://jasig.275507.n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-td1598650.html
> http://stackoverflow.com/questions/17340564/why-does-ie-not-send-the-kerberos-ticket-information-to-my-jboss-on-linux
> https://archive.sap.com/discussions/thread/998107
>
> Marek
>
> On 02/05/17 17:04, Hendrik Dev wrote:
>> bump
>>
>> On Thu, Apr 27, 2017 at 12:35 PM, Hendrik Dev <hendrikdev22 at gmail.com> wrote:
>>> On Tue, Apr 25, 2017 at 12:56 PM, Marek Posolda <mposolda at redhat.com> wrote:
>>>> On 24/04/17 18:55, Hendrik Dev wrote:
>>>>> Hi,
>>>>>
>>>>> I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0.
>>>>> Purpose is to provide single sign on for users logging in via IE
>>>>> from a windows domain.
>>>>> Keycloak itself is running on centOS, Kerberos server is Active
>>>>> Directory. The setup is working so far because i can login via
>>>>> 'curl --negotiate'. There are also several other java applications
>>>>> running in this environment which are capable of doing SPNEGO over
>>>>> Kerberos authentication successfully.
>>>>>
>>>>> If the user access a Keycloak protected application the SPNEGO
>>>>> login does not work and the Keycloak login page is displayed instead.
>>>>> In the logs i see "Defective token detected (Mechanism level:
>>>>> GSSHeader did not find the right tag)" and thats totally right
>>>>> because the browser sends
>>>>> 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw=='
>>>>> which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token).
>>>>>
>>>>> For me it looks like the browser never gets either a
>>>>> 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak.
>>>>> In other words: The browser seems to never gets challenged to do
>>>>> SPNEGO over Kerberos.
>>>> I will try to summarize if I understand correctly:
>>>> 1) Keycloak sent 401 with "WWW-Authenticate: Negotiate"
>>>> 2) Your browser replied with the SPNEGO-NTLM token like "Authorization:
>>>> Negotiate ntlm-token-is-here"
>>>> 3) Keycloak replied with "WWW-Authenticate: Negotiate
>>>> spnego-token-asking-to-send-kerberos-instead-of-ntlm"
>>>> 4) Your browser didn't reply anything back
>>>>
>>>> Is it correct?
>>> Sorry no. I never see a 401 nor a "WWW-Authenticate: Negotiate" from keycloak.
>>> As i said, the browser does not get a challenge.
>>>
>>>
>>>
>>>> It seems that your browser doesn't have kerberos ticket, hence
>>>> that's why it uses NTLM instead. I think the best would be to fix
>>>> your environment, so that it will send Kerberos token instead of NTLM at the step 2.
>>>>
>>>> Marek
>>>>
>>>>> I already tried to fix it
>>>>>
>>>>> (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad
>>>>> 2ae25ce0d9cd703) but this oddly just ends up in a Basic Auth popup
>>>>> from the browser.
>>>>> For the client app the standard flow as well as direct access
>>>>> grants is enabled.
>>>>>
>>>>> Keycloak is deployed as HA with 3 nodes and runs behind a HW
>>>>> loadbalancer and Kerberos is setup within the LDAP Federation ()
>>>>>
>>>>> Any ideas?
>>>>>
>>>>> Thanks
>>>>> Hendrik
>>>>>
>>>
>>>
>>> --
>>> Hendrik Saly (salyh, hendrikdev22)
>>> @hendrikdev22
>>> PGP: 0x22D7F6EC
>>
>>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
Hendrik Saly (salyh, hendrikdev22)
@hendrikdev22
PGP: 0x22D7F6EC


More information about the keycloak-user mailing list