[keycloak-user] Reverse Proxy Keycloak - Kerberos SPNEGO breaks
Ryan Slominski
ryans at jlab.org
Thu Jul 11 16:44:25 EDT 2019
Hi all,
Any tips setting up Kerberos SPNEGO with Keycloak if Keycloak is reverse proxied? I have everything working if I access the Keycloak host directly, but if I access via a reverse proxy the SPENGO doesn't work. I assume this has to do with Kerberos SPNEGO strict hostname and principal naming. I have even tried setting the password/key (and kvno) the same for both HTTP/proxy.example.com and HTTP/keycloak.example.com principals. I've also updated the /etc/krb5.conf libdefaults ignore_acceptor_hostname = true, but that seems to be ignored by Keycloak. In fact, Keycloak appears to require a hard-coded principal name, which isn't going to match the requested service principal name when requests go through the reverse proxy. Has anyone dealt with this before?
Oddly, this isn't a problem for Windows Active Directory principals / SPNs (Micrsoft implementation) - if setspn.exe configures same principal to both hostnames. Just MIT Kerberos KDC and principals seem to have a problem with reverse proxies (Red Hat Identity Manager / FreeIPA wrapper around MIT Kerberos).
Ryan
More information about the keycloak-user
mailing list