[keycloak-user] Keycloak 3.4.3: Login With Kerberos and Active Directory with multiple Domains. seem not to work.

Kraenzlein, Ralph ralph.kraenzlein01 at metrosystems.net
Mon Mar 12 04:33:57 EDT 2018 

Hi,

we try out to use Keycloak 3.4.3 as Federation Service With Kerberos and  Active Directory with multiple Domains. (like ADFS)
First we only test authentication with Keycloak, Kerberos Ticket and Active Directory with multiple domains.

Problem:  

Keycloak only seem to read the sAMAccountName from Kerberos Ticket. Not the realm/domain. If the sAMAccountName is in top level (or highest prio) Federation provider authentication is successful. If not it fails.
It is crucial that Keycloak knows in which AD Domain the user from Kerberos ticket is located. Unless Keycloak is not able to get the correct claims for the user.

Test environment:  

Keycloak 3.4.3 standalone on Centos 7 with a Keycloak REALM  EMP_AD. 
We configured 3 LDAP Federation Providers (with Kerberos Integration) for 3 AD Domains: DE.MIT.NET, FR.MIT.NET and BE.MIT.NET.
Each Federation Provider has been configured with the following parameters: vendor:Active Directory, UserName LDAP attribute: sAMAccountName, Kerberos REALM: "Name of AD/Kerberos Domain", ...
sAMAccountName ist unique in each ad domain, but not in forest. In forest only userPrincipalName is unique.
We made the Kerberos Configuration as described in Keycloak-Doc. Also included a keytab file. Our productive company AD and KDCs are used.
2 Test user:  john.smith at de.mit.net (upn in Domain DE.MIT.NET), john.smith at fr.mit.net (upn in Domain FR.MIT.NET). sAMAccountName for both user is john.smith .


Testing:

Since we just test how can handle Keycloak Kerberos, AD and multiple domains we just call the admin realm url for login tests: https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console


First scenario:

User john.smith  is already authenticated in his Windows 7 Client (AD Domain DE.MIT.NET). In Keycloak only Federation Provider for AD Domain DE.MIT.NET is enabled.
When calling https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console  user john.smith gets a Kerberos Ticket for Keycloak. In the Ticket the user is identified with his sAMAccountName and its Kerberos REALM (AD Domain):

klist:

Client: john.smith @ DE.MIT.NET
Server: HTTP/DUS212kcsrv.wert.net @ DAS.MIT.NET
KerbTicket (Verschlüsselungstyp): RSADSI RC4-HMAC(NT)
Ticketkennzeichen 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
...

Result: User john.smith from AD Domain DE.MIT.NET is automatically successfully authenticated in Keycloak. --> Successful


Second scenario:

Same as first scenario, but this time only Federation Provider for AD Domain FR.MIT.NET is enabled. (user john.smith is also available in domain FR.MIT.NET)
Even though Kerberos ticket from user john smith in AD Domain DE.MIT.NET is used, in Keycloak john.smith from AD domain FR.MIT.NET is authenticated. 
 --> NOT successful


Third scenario:

Same as first scenario, but this time all FPs are enabled in Keycloak. The FP for Domain BE.MADM.NET is on top of the list (or has the highest prio) In BE.MADM.NET user john.smith does not exist.
Keycloak only lookup in Federation Provider from Domain BE.MADM.NET for john.smith.  Since there is no one, access to keycloak failed :

server.log:

2018-03-08 16:37:03,121 WARN  [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-1) Kerberos/SPNEGO authentication succeeded with username [john.smith], but couldn't find or create user with federation provider [BE.MADM.NET]
2018-03-08 16:37:03,122 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=EMP_AD, clientId=security-admin-console, userId=null, ipAddress=10.12.45.34, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://DUS212kcsrv.wert.net:8443/auth/admin/EMP_AD/console/, code_id=27a1da71-b5f2-4416-a0dd-6005b409a60a, response_mode=fragment


Best regards

Ralph
Geschäftsanschrift/Business address: METRO SYSTEMS GmbH, Metro-Straße 12, 40235 Düsseldorf, Germany
Aufsichtsrat/Supervisory Board: Heiko Hutmacher (Vorsitzender/ Chairman)
Geschäftsführung/Management Board: Dr. Dirk Toepfer (Vorsitzender/CEO), Wim van Herwijnen
Sitz Düsseldorf, Amtsgericht Düsseldorf, HRB 18232/Registered Office Düsseldorf, Commercial Register of the Düsseldorf Local Court, HRB 18232

Betreffend Mails von *@metrosystems.net
Die in dieser E-Mail enthaltenen Nachrichten und Anhänge sind ausschließlich für den bezeichneten Adressaten bestimmt. Sie können rechtlich geschützte, vertrauliche Informationen enthalten. Falls Sie nicht der bezeichnete Empfänger oder zum Empfang dieser E-Mail nicht berechtigt sind, ist die Verwendung, Vervielfältigung oder Weitergabe der Nachrichten und Anhänge untersagt. Falls Sie diese E-Mail irrtümlich erhalten haben, informieren Sie bitte unverzüglich den Absender und vernichten Sie die E-Mail.

Regarding mails from *@metrosystems.net
This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail.

More information about the keycloak-user mailing list