[keycloak-user] Kerberos authentication in Windows

Otaño Pavo, Cesar c.otano at ibermatica.com
Wed Jun 27 07:29:49 EDT 2018 

Hi,


I'm trying to set up user authentication mechanism for my website using Keycloak and Kerberos protocol. I have followed instructions from here: http://matthewcasperson.blogspot.com/2015/07/authenticating-via-kerberos-with.html



In Keycloak configuration menu I have changed Authentication Flow for Browser Kerberos from alternative to required. settings<http://i.imgur.com/hgAnHJJ.png>.



But after that when I'm going to my web page I got message "Kerberos is not set up. You cannot login."


After enabling -Dsun.security.krb5.debug=true and -Dsun.security.spenego.degug=true and change Kerberos authentication from required to alternative, the server log is the following:

13:17:06,116 INFO  [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (defaul
t task-17) Creating new LDAP Store for the LDAP storage provider: 'ldap', LDAP C
onfiguration: {serverPrincipal=[HTTPS/facultativoskeycloak.sanbox.local at SANBOX.L
OCAL], pagination=[true], fullSyncPeriod=[-1], connectionPooling=[true], usersDn
=[dc=sanbox,dc=local], cachePolicy=[DEFAULT], useKerberosForPasswordAuthenticati
on=[true], importEnabled=[true], enabled=[true], bindDn=[CN=keycloak,CN=Users,DC
=sanbox,DC=local], usernameLDAPAttribute=[cn], changedSyncPeriod=[-1], lastSync=
[1530011208], vendor=[ad], uuidLDAPAttribute=[objectGUID], allowKerberosAuthenti
cation=[true], connectionUrl=[ldap://sb-ad.sanbox.local:389], syncRegistrations=
[false], authType=[simple], debug=[true], searchScope=[2], useTruststoreSpi=[lda
psOnly], keyTab=[C:\\keycloak.keytab], kerberosRealm=[SANBOX.LOCAL], priority=[0
], userObjectClasses=[person, organizationalPerson, user], rdnLDAPAttribute=[cn]
, editMode=[WRITABLE], validatePasswordPolicy=[false], batchSizeForSync=[1000]},
binaryAttributes: []
13:17:06,135 INFO  [stdout] (default task-17) Debug is  true storeKey true useTi
cketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator
false KeyTab is C:\\keycloak.keytab refreshKrb5Config is false principal is HTTP
S/facultativoskeycloak.sanbox.local at SANBOX.LOCAL tryFirstPass is false useFirstP
ass is false storePass is false clearPass is false
13:17:06,138 INFO  [stdout] (default task-17) principal is HTTPS/facultativoskey
cloak.sanbox.local at SANBOX.LOCAL
13:17:06,139 INFO  [stdout] (default task-17) Will use keytab
13:17:06,140 ERROR [stderr] (default task-17)   [LoginContext]: login success
13:17:06,142 INFO  [stdout] (default task-17) Commit Succeeded
13:17:06,142 INFO  [stdout] (default task-17)
13:17:06,143 ERROR [stderr] (default task-17)   [LoginContext]: commit success
13:17:06,150 INFO  [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo
r HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL
13:17:06,151 INFO  [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo
r HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL
13:17:06,153 INFO  [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo
r HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL
13:17:06,154 INFO  [stdout] (default task-17) Found KeyTab C:\keycloak.keytab fo
r HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL
13:17:06,157 INFO  [stdout] (default task-17) Entered SpNegoContext.acceptSecCon
text with state=STATE_NEW
13:17:06,158 INFO  [stdout] (default task-17) SpNegoContext.acceptSecContext: re
ceiving token = a0 6b 30 69 a0 30 30 2e 06 0a 2b 06 01 04 01 82 37 02 02 0a 06 0
9 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a 2b 06 01 04
01 82 37 02 02 1e a2 35 04 33 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 b2 08 e2 06
00 06 00 2d 00 00 00 05 00 05 00 28 00 00 00 06 03 80 25 00 00 00 0f 53 42 2d 4
7 49 53 41 4e 42 4f 58
13:17:06,160 INFO  [stdout] (default task-17) SpNegoToken NegTokenInit: reading
Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
13:17:06,162 INFO  [stdout] (default task-17) SpNegoToken NegTokenInit: reading
Mechanism Oid = 1.2.840.48018.1.2.2
13:17:06,164 INFO  [stdout] (default task-17) SpNegoToken NegTokenInit: reading
Mechanism Oid = 1.2.840.113554.1.2.2
13:17:06,164 INFO  [stdout] (default task-17) SpNegoToken NegTokenInit: reading
Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
13:17:06,165 INFO  [stdout] (default task-17) SpNegoToken NegTokenInit: reading
Mech Token
13:17:06,165 INFO  [stdout] (default task-17) SpNegoContext.acceptSecContext: re
ceived token of type = SPNEGO NegTokenInit
13:17:06,166 INFO  [stdout] (default task-17) SpNegoContext: negotiated mechanis
m = 1.2.840.113554.1.2.2
13:17:06,166 INFO  [stdout] (default task-17) The underlying mechanism context h
as not been initialized
13:17:06,168 INFO  [stdout] (default task-17) SpNegoContext.acceptSecContext: me
chanism wanted = 1.2.840.113554.1.2.2
13:17:06,170 INFO  [stdout] (default task-17) SpNegoContext.acceptSecContext: ne
gotiated result = ACCEPT_INCOMPLETE
13:17:06,172 INFO  [stdout] (default task-17) SpNegoContext.acceptSecContext: se
nding token of type = SPNEGO NegTokenTarg
13:17:06,172 INFO  [stdout] (default task-17) SpNegoContext.acceptSecContext: se
nding token = a1 14 30 12 a0 03 0a 01 01 a1 0b 06 09 2a 86 48 86 f7 12 01 02 02

13:17:06,173 INFO  [stdout] (default task-17)           [Krb5LoginModule]: Enter
ing logout
13:17:06,174 INFO  [stdout] (default task-17)           [Krb5LoginModule]: logge
d out Subject
13:17:06,175 ERROR [stderr] (default task-17)   [LoginContext]: logout success



Aditional information:



+Keycloak is installed in Windows Server 2012.



+Command to create keytabfile:



ktpass -out c:\keycloak.keytab -princ HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL<mailto:HTTP/facultativoskeycloak.sanbox.local at SANBOX.LOCAL> -mapUser Keycloak at SANBOX.LOCAL<mailto:Keycloak at SANBOX.LOCAL> -pass XXXXX -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT





+Configuration KRB5.ini located in c:\windows



[domain_realm]



    .sanbox.local = SANBOX.LOCAL



    sanbox.local = SANBOX.LOCAL



[libdefaults]



    default_realm = SANBOX.LOCAL



    permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5



    default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5



    default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5



[realms]



SANBOX.LOCAL = {



    kdc = sb-ad.sanbox.local



    admin_server = sb-ad.sanbox.local



    default_domain = SANBOX.LOCAL



}



+Kerberos Integration:



Allow Kerberos authentication:           YES

Kerberos Realm                           SANBOX.LOCAL

Server Principal                         HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL<mailto:HTTPS/facultativoskeycloak.sanbox.local at SANBOX.LOCAL>

KeyTab                                   C:/keycloak.keytab

Debug                                    YES

Use Kerberos For Password Authentication YES


Regards


AVISO LEGAL
El contenido de este mensaje de correo electrónico, incluidos los ficheros adjuntos, es confidencial y está protegido por el secreto de las comunicaciones. Si usted recibe este mensaje por error, por favor notifique dicha circunstancia al remitente, borre el mensaje y no use, guarde, divulgue o copie su contenido.

LEGAL NOTICE
The contents of this email transmission and of any attached documents are confidential and are protected by the secrecy of correspondence. If you have received this message in error, please notify the sender and delete this message without using, storing, disclosing or copying its contents.

More information about the keycloak-user mailing list