[keycloak-user] Kerberos authentication in Windows

Dominique ARNOU dominique.arnou at cnieg.fr
Tue Jun 26 08:46:01 EDT 2018 

Hi 

Your server principal would be  HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL, not HTTPS/...

Dominique

-----Message d'origine-----
De : keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] De la part de Otaño Pavo, Cesar
Envoyé : mardi 26 juin 2018 14:13
À : keycloak-user at lists.jboss.org
Objet : [keycloak-user] Kerberos authentication in Windows

Hi,



I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html



In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings<http://i.imgur.com/hgAnHJJ.png>.

But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login."



Aditional information:



·         Keycloak is installed in Windows Server 2012.



·         Command to create keytabfile:

ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL -mapUser Keycloak at SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT



·         Configuration KRB5.ini located in c:\windows

[domain_realm]

    .sanbox.local = SANBOX.LOCAL

    sanbox.local = SANBOX.LOCAL

[libdefaults]

    default_realm = SANBOX.LOCAL

    permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5

    default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5

    default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5

[realms]

SANBOX.LOCAL = {

    kdc = sb-ad.sanbox.local

    admin_server = sb-ad.sanbox.local

    default_domain = SANBOX.LOCAL

}



·         Kerberos Integration:



Allow Kerberos authentication:                      YES
Kerberos Realm                                            SANBOX.LOCAL
Server Principal                                             HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL
KeyTab                                                          C:/keycloak.keytab
Debug                                                            YES
Use Kerberos For Password Authentication YES


Regards

Cesar













AVISO LEGAL
El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido.

LEGAL NOTICE
The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list