[keycloak-user] keycloak-user Digest, Vol 54, Issue 41

Otaño Pavo, Cesar c.otano at ibermatica.com
Wed Jun 27 02:37:08 EDT 2018


Hi Dominique,

There is an error in the description of the ktpass command.

the command is really: ktpass -out c:\keycloak.keytab -princ HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL -mapUser Keycloak at SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

Regards

------------------------------

Message: 5
Date: Tue, 26 Jun 2018 12:46:01 +0000
From: Dominique ARNOU <dominique.arnou at cnieg.fr>
Subject: Re: [keycloak-user] Kerberos authentication in Windows
To: Ota?o Pavo, Cesar <c.otano at ibermatica.com>,
        "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Message-ID:
        <DB6PR07MB323955D8C4121CCE0FFC686686490 at DB6PR07MB3239.eurprd07.prod.outlook.com>

Content-Type: text/plain; charset="iso-8859-1"

Hi

Your server principal would be  HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL, not HTTPS/...

Dominique

-----Message d'origine-----
De?: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] De la part de Ota?o Pavo, Cesar
Envoy??: mardi 26 juin 2018 14:13
??: keycloak-user at lists.jboss.org
Objet?: [keycloak-user] Kerberos authentication in Windows

Hi,



I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html



In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings<http://i.imgur.com/hgAnHJJ.png>.

But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login."



Aditional information:



?         Keycloak is installed in Windows Server 2012.



?         Command to create keytabfile:

ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL -mapUser Keycloak at SANBOX.LOCAL -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT



?         Configuration KRB5.ini located in c:\windows

[domain_realm]

    .sanbox.local = SANBOX.LOCAL

    sanbox.local = SANBOX.LOCAL

[libdefaults]

    default_realm = SANBOX.LOCAL

    permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5

    default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5

    default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5

[realms]

SANBOX.LOCAL = {

    kdc = sb-ad.sanbox.local

    admin_server = sb-ad.sanbox.local

    default_domain = SANBOX.LOCAL

}


?         Kerberos Integration:



Allow Kerberos authentication:                      YES
Kerberos Realm                                            SANBOX.LOCAL
Server Principal                                             HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL
KeyTab                                                          C:/keycloak.keytab
Debug                                                            YES
Use Kerberos For Password Authentication YES


Regards

Cesar





AVISO LEGAL
El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido.

LEGAL NOTICE
The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.



More information about the keycloak-user mailing list