[keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

Chris Smith chris.smith at cmfirstgroup.com
Wed Feb 6 13:17:02 EST 2019 

So I made a small addition and stepped through the authenticate method

    public Subject authenticateSubject(String username, String password) throws LoginException {
        String principal = getKerberosPrincipal(username);

        logger.debug("Validating password of principal: " + principal);
        loginContext = new LoginContext("does-not-matter", null, createJaasCallbackHandler(principal, password),
            createJaasConfiguration());

        loginContext.login();
        logger.debug("Principal " + principal + " authenticated succesfully");
**        Subject subject = loginContext.getSubject();
**        for (KerberosTicket ticket : subject.getPrivateCredentials(KerberosTicket.class)) {
**            System.out.println(ticket.getClient().getName());
**        }
        return loginContext.getSubject();
    }

The subject that is gotten from the loginContext has one KerberosTicket  private credential

Googling has not given me any insight on where I go from here.

Do you have any suggestions?

-----Original Message-----
From: Marek Posolda <mposolda at redhat.com> 
Sent: Tuesday, January 29, 2019 4:07 AM
To: Dmitry Telegin <dt at acutus.pro>; Chris Smith <chris.smith at cmfirstgroup.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain

+1

GSSCredential is used just during SPNEGO authentication. You may possibly change the built-in authentication flows or userStorage provider, so that after verification with username/password, the GSSCredential will be somehow obtained from the JAAS Subject used for the authentication (See class KerberosUsernamePasswordAuthenticator for the details).

However I am not sure if this is really possible and it will require some more deep-dive into the Keycloak codebase and Kerberos implementation in JDK... Just a hint...

Marek

On 28/01/2019 07:21, Dmitry Telegin wrote:
> Hello Chris,
>
> AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication.
>
> Cheers,
> Dmitry
>
> On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote:
>> Does anyone have feedback about getting a delegated GSSCredential?
>>
>> -----Original Message-----
>>> From: keycloak-user-bounces at lists.jboss.org 
>>> <keycloak-user-bounces at lists.jboss.org> On Behalf Of Chris Smith
>> Sent: Wednesday, January 23, 2019 10:12 PM
>> To: keycloak-user at lists.jboss.org
>> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is 
>> not in Active Directory domain
>>
>> Here is a Diagram of what I'm trying to do
>>
>> From: Chris Smith
>> Sent: Wednesday, January 23, 2019 8:08 AM
>>>> To: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
>> Subject: Get a GSSCredential when user browser is not in Active 
>> Directory domain
>>
>> I have setup my servlet to authenticate a user my web app using 
>> Keycloak Active Directory ldap user federation
>>
>> I can get a Delegated GSSCredential when the SPNEGO enabled browser  runs on a workstation in the AD domain.
>> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet.
>>
>> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.  My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping).
>>
>> Less than 1% of the users will be using browsers on workstations in the Active Directory domain.
>>
>> Can Keycloak put a GSSCredential for the logged in user  in the Access Token when SPNEGO is not available from the browser?
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list