[keycloak-user] Domain mode cluster, slave authentication?

Max Allan max.allan+keycloak at surevine.com
Wed Mar 28 11:11:54 EDT 2018


Hi,
Has anyone used the latest WildFly 11 version of Keycloak in domain mode?

I could get it to work on a local instance with host-master and host-slave
config files. But using the same host-slave config on a different instance
it would fail to authenticate.
Error :

[Host Controller] 09:07:25,741 INFO  [org.jboss.remoting] (MSC service
thread 1-1) JBoss Remoting version 5.0.5.Final

[Host Controller] 09:07:25,874 INFO  [org.jboss.as.remoting] (MSC service
thread 1-2) WFLYRMT0001: Listening on 127.0.0.1:3456

[Host Controller] 09:07:26,167 WARN  [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0001: Could not connect to remote domain
controller remote://192.168.33.10:9999: java.lang.IllegalStateException:
WFLYHC0043: Unable to connect due to authentication failure.

[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.rethrowIrrecoverableConnectionFailures(
RemoteDomainConnectionService.java:674)

[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.register(RemoteDomainConnectionService.
java:293)

[Host Controller] at org.jboss.as.host.controller.
DomainModelControllerService.connectToDomainMaster(
DomainModelControllerService.java:938)

[Host Controller] at org.jboss.as.host.controller.
DomainModelControllerService.boot(DomainModelControllerService.java:692)

[Host Controller] at org.jboss.as.controller.AbstractControllerService$1.
run(AbstractControllerService.java:370)

[Host Controller] at java.lang.Thread.run(Thread.java:748)

[Host Controller] Caused by: javax.security.sasl.SaslException:
Authentication failed: all available authentication mechanisms failed:

[Host Controller]    DIGEST-MD5: javax.security.sasl.SaslException:
DIGEST-MD5: Server rejected authentication

[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener.allMechanismsFailed(
ClientConnectionOpenListener.java:109)

[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Capabilities.handleEvent(
ClientConnectionOpenListener.java:446)

[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Capabilities.handleEvent(
ClientConnectionOpenListener.java:242)

[Host Controller] at org.xnio.ChannelListeners.invokeChannelListener(
ChannelListeners.java:92)

[Host Controller] at org.xnio.conduits.ReadReadyHandler$
ChannelListenerHandler.readReady(ReadReadyHandler.java:66)

[Host Controller] at org.xnio.nio.NioSocketConduit.
handleReady(NioSocketConduit.java:89)

[Host Controller] at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

[Host Controller] at ...asynchronous invocation...(Unknown Source)

[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:570)

[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:532)

[Host Controller] at org.jboss.remoting3.EndpointImpl.connect(
EndpointImpl.java:520)

[Host Controller] at org.jboss.as.protocol.ProtocolConnectionUtils.connect(
ProtocolConnectionUtils.java:204)

[Host Controller] at org.jboss.as.protocol.ProtocolConnectionUtils.
connectSync(ProtocolConnectionUtils.java:120)

[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnection.lambda$openConnection$0(RemoteDomainConnection.java:
223)

[Host Controller] at org.wildfly.common.context.
Contextual.runExceptionAction(Contextual.java:108)

[Host Controller] at org.wildfly.security.auth.client.AuthenticationContext.
run(AuthenticationContext.java:268)

[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection.
openConnection(RemoteDomainConnection.java:223)

[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection$
InitialConnectTask.connect(RemoteDomainConnection.java:592)

[Host Controller] at org.jboss.as.protocol.ProtocolConnectionManager.
connect(ProtocolConnectionManager.java:70)

[Host Controller] at org.jboss.as.host.controller.RemoteDomainConnection.
connect(RemoteDomainConnection.java:147)

[Host Controller] at org.jboss.as.host.controller.
RemoteDomainConnectionService.register(RemoteDomainConnectionService.
java:288)

[Host Controller] ... 4 more

[Host Controller] Suppressed: javax.security.sasl.SaslException:
DIGEST-MD5: Server rejected authentication

[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Authentication.handleEvent(
ClientConnectionOpenListener.java:736)

[Host Controller] at org.jboss.remoting3.remote.
ClientConnectionOpenListener$Authentication.handleEvent(
ClientConnectionOpenListener.java:578)

[Host Controller] at org.xnio.ChannelListeners.invokeChannelListener(
ChannelListeners.java:92)

[Host Controller] at org.xnio.conduits.ReadReadyHandler$
ChannelListenerHandler.readReady(ReadReadyHandler.java:66)

[Host Controller] at org.xnio.nio.NioSocketConduit.
handleReady(NioSocketConduit.java:89)

[Host Controller] at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

[Host Controller]

[Host Controller] 09:07:26,169 WARN  [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0147: No domain controller discovery options
remain.

[Host Controller] 09:07:26,169 ERROR [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0002: Could not connect to master. Error
was: java.lang.IllegalStateException: WFLYHC0120: Tried all domain
controller discovery option(s) but unable to connect

[Host Controller] 09:07:26,170 FATAL [org.jboss.as.host.controller]
(Controller Boot Thread) WFLYHC0178: Aborting with exit code 99

After poking around a bit I found the slave makes a connection with this
bit of host-slave.xml :

   <domain-controller>
        <remote username="$local" security-realm="ManagementRealm">
            <discovery-options>
                <static-discovery name="primary"
protocol="${jboss.domain.master.protocol:remote}"
host="${jboss.domain.master.address:192.168.33.10}"
port="${jboss.domain.master.port:9999}"/>
            </discovery-options>
        </remote>
    </domain-controller>


I changed $local to admin and it connects fine. But if I understand
Wildfly, then you shouldn't need to specify a username at all, and the
remote server will interpret $local (or none) as the local default user,
which would be "admin".
I tried leaving out the username and that didn't work either.

Have I managed to configure my user wrong on the master somehow? I used
this command (and obviously have the correct secret in the host-slave.xml) :

bin/add-user.sh -u admin -p password -r ManagementRealm -ds -e


Or is this actually expected behaviour?


More information about the keycloak-user mailing list