[keycloak-user] Kerberos Authentication

"Matthias Müller" matthiasmueller07 at web.de
Thu Jul 12 06:52:48 EDT 2018 

Hello Jochen,

here are the trace information. I d not have much experience with Kerberos, maybe you can see a reason?

KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab HTTP/servername at domain.local
[8639] 1531391993.35803: Getting initial credentials for HTTP/servername at domain.local
[8639] 1531391993.36009: Looked up etypes in keytab: aes256-cts
[8639] 1531391993.36071: Sending request (196 bytes) to domain.local
[8639] 1531391993.36099: Resolving hostname kerberos.domain.local
[8639] 1531391993.36411: Sending initial UDP request to dgram xx.xx.xx.xx:88
[8639] 1531391994.37505: Initiating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391994.47972: Sending TCP request to stream xx.xx.xx.xx:88
[8639] 1531391994.59194: Received answer (209 bytes) from stream xx.xx.xx.xx:88
[8639] 1531391994.59365: Terminating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391994.123891: Response was not from master KDC
[8639] 1531391994.124071: Received error from KDC: -1765328359/Additional pre-authentication required
[8639] 1531391994.124163: Processing preauth types: 16, 15, 19, 2
[8639] 1531391994.124216: Selected etype info: etype aes256-cts, salt "DOMAIN.LOCALHTTPservername", params ""
[8639] 1531391994.124325: Retrieving HTTP/servername at domain.local from FILE:/etc/keytab/servername.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[8639] 1531391994.124420: AS key obtained for encrypted timestamp: aes256-cts/3C17
[8639] 1531391994.124492: Encrypted timestamp (for 1531391993.432619): plain 301AA011180F32303138303731323130333935335AA10502030699EB, encrypted 1AB1CF23868718D3F7DCCB375E7B5C09655FE360088E5877846A9E84E7CCFD424496D15486173B0A8DE54FB12C394A9481BC9DFDCD5A032E
[8639] 1531391994.124544: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[8639] 1531391994.124572: Produced preauth for next request: 2
[8639] 1531391994.124622: Sending request (276 bytes) to domain.local
[8639] 1531391994.124690: Resolving hostname kerberos.domain.local
[8639] 1531391994.124813: Sending initial UDP request to dgram xx.xx.xx.xx:88
[8639] 1531391995.125972: Initiating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391995.136487: Sending TCP request to stream xx.xx.xx.xx:88
[8639] 1531391995.147521: Received answer (176 bytes) from stream xx.xx.xx.xx:88
[8639] 1531391995.147682: Terminating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391995.178245: Response was not from master KDC
[8639] 1531391995.178431: Received error from KDC: -1765328360/Preauthentication failed
[8639] 1531391995.178507: Preauth tryagain input types: 16, 15, 19, 2
[8639] 1531391995.178569: Getting initial credentials for HTTP/servername at domain.local
[8639] 1531391995.178667: Looked up etypes in keytab: aes256-cts
[8639] 1531391995.178731: Sending request (196 bytes) to domain.local (master)
kinit: Preauthentication failed while getting initial credentials

domain.local is the Name of the domain
Kerberos.domain.local is a Active Directory Server Kerberos is enabled
servername is the server the application is installed

Thanks

"Matthias Müller" <matthiasmueller07 at web.de> writes:

> I added the necessary fields in the ldap configuration before.
>  
> Realm: local.domain
> Principal: HTTP/server.name at local.domain
> Keytab: /etc/keytab/servername.keytab

Ok.

> local.domain and server.name are place holder for the original settings.

> The following message is shown with kinit and kvno:
> kinit: Preauthentication failed while getting initial credentials
> No credentials cache found (filename: /tmp/krb5cc_0) while getting client principal name

That's bad. My system has:

[root at saml keycloak]# kinit -kt keycloak.keytab HTTP/saml.example.org
[root at saml keycloak]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/saml.example.org at EXAMPLE.ORG

Valid starting       Expires              Service principal
08.07.2018 22:09:40  09.07.2018 22:09:40  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG

Until that works you don't need to look at anyhing else.
Please try:

KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab HTTP/server.name at local.domain

> When I read the keytab file with klist the output is:
> 0 01/01/1970 00:00:00 HTTP/server.name at local.domain (aes256-cts-hmac-sha1-96)

That date looks fishy.

[root at saml keycloak]# klist -k keycloak.keytab 
Keytab name: FILE:keycloak.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 HTTP/saml.example.org at EXAMPLE.ORG
   1 HTTP/saml.example.org at EXAMPLE.ORG
   1 HTTP/saml.example.org at EXAMPLE.ORG
   1 HTTP/saml.example.org at EXAMPLE.ORG

Can you please move the discussion back to the keycloak list?  Thanks.

Jochen

-- 
This space is intentionally left blank.

More information about the keycloak-user mailing list