[keycloak-user] Authentication with Kerberos and login screen fallback

Fox, Kevin M Kevin.Fox at pnnl.gov
Thu Feb 28 15:42:17 EST 2019

Its unfortunately part of the spnego protocol: https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/cwlp_spnego.html

The server responds with a 401 and then the browser tries authenticating with Kerberos. The server has no idea if the client trusts it for Kerberos or not until after the 401 and then a negotiation is started.

Best bet would be to somehow configure it as one possible login button that a user could chose.

From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Janik [janik-keycloak at familie-krallmann.de]
Sent: Thursday, February 28, 2019 11:53 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Authentication with Kerberos and login screen  fallback

Hello guys,

I have an web application where I'd like to use Keycloak for
authentication. If possible the user should login via Kerberos. If not
use login screen.

On my computer I have a valid Kerberos ticket and the login works fine.
If I try to login for example from another device I always get the
error-code 401. I expected to get the login screen instead. If I
configure the trusted-uris on these device the login screen appears.

I successfully configured an LDAP User Federation provider with Kerberos
integration. I used this instructions
to create the authentication flows.

Is it possible to use Kerberos authentication from known devices and use
the login screen from unknown devices where I can't configure
trusted-uris? One example could be my mobile phone where I'm not able to
configure something.

Thanks in advance.

keycloak-user mailing list
keycloak-user at lists.jboss.org

More information about the keycloak-user mailing list