[keycloak-user] Reverse Proxy Keycloak - Kerberos SPNEGO breaks

[Ryan Slominski]

Hi all,
   Any tips setting up Kerberos SPNEGO with Keycloak if Keycloak is reverse proxied?   I have everything working if I access the Keycloak host directly, but if I access via a reverse proxy the SPENGO doesn't work.   I assume this has to do with Kerberos SPNEGO strict hostname and principal naming.  I have even tried setting the password/key (and kvno) the same for both HTTP/proxy.example.com and HTTP/keycloak.example.com principals.   I've also updated the /etc/krb5.conf libdefaults ignore_acceptor_hostname = true, but that seems to be ignored by Keycloak.  In fact, Keycloak appears to require a hard-coded principal name, which isn't going to match the requested service principal name when requests go through the reverse proxy.  Has anyone dealt with this before?

Oddly, this isn't a problem for Windows Active Directory principals / SPNs (Micrsoft implementation) - if setspn.exe configures same principal to both hostnames.  Just MIT Kerberos KDC and principals seem to have a problem with reverse proxies (Red Hat Identity Manager / FreeIPA wrapper around MIT Kerberos).

Ryan