[keycloak-user] Kerberos login and multinode clustered mode
Daniel Fernández Rodríguez
daniel.fernandez at cern.ch
Tue Oct 15 05:45:59 EDT 2019
Hello everyone,
I followed the steps described in the docs
(https://www.keycloak.org/docs/latest/server_admin/index.html#_kerberos)
to configure Kerberos login (Active Directory as LDAP Federation
Provider) with Keycloak 7.0.0. All good til here
Recently we enabled clustered mode for Keycloak, so now we have some
haproxy servers loadbalancing all traffic to our Keycloak servers
(configured with proxy-address-forwarding="true"). All Keycloak servers
share the same MySQL database.
If we only have ONE Keycloak server (even if it is configured as
clustered), Kerberos **works** fine.
If we add more servers under the haproxy, Kerberos starts failing with a
generic: "Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access_token
from server."
This is is the actual trace of why I am getting [*]
So it seems that the actual SPNEGO flow works fine but then Keycloak
does not know how to proceed.
Any ideas/suggestions will be much appreciated!
Thanks!
Daniel.
[*]
standalone.sh[3887]: 09:39:59,704 INFO [stdout] (default task-2)
principal is keycloakbind at PLACEHOLDER.COM
standalone.sh[3887]: 09:39:59,704 INFO [stdout] (default task-2) Will
use keytab
standalone.sh[3887]: 09:39:59,705 INFO [stdout] (default task-2) Commit
Succeeded
standalone.sh[3887]: 09:39:59,705 INFO [stdout] (default task-2)
standalone.sh[3887]: 09:39:59,721 INFO [stdout] (default task-2) Found
KeyTab /var/keycloak/keycloakbind.keytab for keycloakbind at PLACEHOLDER.COM
standalone.sh[3887]: 09:39:59,721 INFO [stdout] (default task-2) Found
KeyTab /var/keycloak/keycloakbind.keytab for keycloakbind at PLACEHOLDER.COM
standalone.sh[3887]: 09:39:59,724 INFO [stdout] (default task-2) Found
KeyTab /var/keycloak/keycloakbind.keytab for keycloakbind at PLACEHOLDER.COM
standalone.sh[3887]: 09:39:59,724 INFO [stdout] (default task-2) Found
KeyTab /var/keycloak/keycloakbind.keytab for keycloakbind at PLACEHOLDER.COM
standalone.sh[3887]: 09:39:59,728 INFO [stdout] (default task-2)
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
standalone.sh[3887]: 09:39:59,734 INFO [stdout] (default task-2)
SpNegoContext.acceptSecContext: receiving token = a0 82 0d 20 30 82 0d
1c a0 0d 30 0b 06 09 2a 86 48 86 f7 12 01 02 02 a2 89 ..........
(truncated)
standalone.sh[3887]: 09:39:59,735 INFO [stdout] (default task-2)
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
standalone.sh[3887]: 09:39:59,735 INFO [stdout] (default task-2)
SpNegoToken NegTokenInit: reading Mech Token
standalone.sh[3887]: 09:39:59,735 INFO [stdout] (default task-2)
SpNegoContext.acceptSecContext: received token of type = SPNEGO
NegTokenInit
standalone.sh[3887]: 09:39:59,736 INFO [stdout] (default task-2)
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
standalone.sh[3887]: 09:39:59,737 INFO [stdout] (default task-2)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
standalone.sh[3887]: 09:39:59,751 INFO [stdout] (default task-2) Java
config name: null
standalone.sh[3887]: 09:39:59,751 INFO [stdout] (default task-2) Native
config name: /etc/krb5.conf
standalone.sh[3887]: 09:39:59,753 INFO [stdout] (default task-2) Loaded
from native config
standalone.sh[3887]: 09:39:59,756 INFO [stdout] (default task-2) >>>
KeyTabInputStream, readName(): PLACEHOLDER.COM
standalone.sh[3887]: 09:39:59,757 INFO [stdout] (default task-2) >>>
KeyTabInputStream, readName(): keycloakbind
standalone.sh[3887]: 09:39:59,757 INFO [stdout] (default task-2) >>>
KeyTab: load() entry length: 58; type: 23
standalone.sh[3887]: 09:39:59,758 INFO [stdout] (default task-2) >>>
KeyTabInputStream, readName(): PLACEHOLDER.COM
standalone.sh[3887]: 09:39:59,758 INFO [stdout] (default task-2) >>>
KeyTabInputStream, readName(): keycloakbind
standalone.sh[3887]: 09:39:59,758 INFO [stdout] (default task-2) >>>
KeyTab: load() entry length: 74; type: 18
standalone.sh[3887]: 09:39:59,758 INFO [stdout] (default task-2)
Looking for keys for: keycloakbind at PLACEHOLDER.COM
standalone.sh[3887]: 09:39:59,760 INFO [stdout] (default task-2) Added
key: 18version: 1
standalone.sh[3887]: 09:39:59,760 INFO [stdout] (default task-2) Added
key: 23version: 1
standalone.sh[3887]: 09:39:59,761 INFO [stdout] (default task-2) >>>
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
standalone.sh[3887]: 09:39:59,771 INFO [stdout] (default task-2) Using
builtin default etypes for permitted_enctypes
standalone.sh[3887]: 09:39:59,772 INFO [stdout] (default task-2)
default etypes for permitted_enctypes: 18 17 16 23.
standalone.sh[3887]: 09:39:59,772 INFO [stdout] (default task-2) >>>
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
standalone.sh[3887]: 09:39:59,775 INFO [stdout] (default task-2)
MemoryCache: add
1571125199/647271/3627E91725D84CEF5E2AEDF8FE669315/danielfr at PLACEHOLDER.COM
to
danielfr at PLACEHOLDER.COM|HTTP/kc-loadbalancer-XX.placeholder.com at PLACEHOLDER.COM
standalone.sh[3887]: 09:39:59,776 INFO [stdout] (default task-2) >>>
KrbApReq: authenticate succeed.
standalone.sh[3887]: 09:39:59,778 INFO [stdout] (default task-2)
Krb5Context setting peerSeqNumber to: 193114067
standalone.sh[3887]: 09:39:59,779 INFO [stdout] (default task-2)
Krb5Context setting mySeqNumber to: 193114067
standalone.sh[3887]: 09:39:59,783 INFO [stdout] (default task-2) >>>
Constrained deleg from GSSCaller{UNKNOWN}
standalone.sh[3887]: 09:39:59,785 INFO [stdout] (default task-2) SPNEGO
Negotiated Mechanism = 1.2.840.113554.1.2.2 Kerberos V5
standalone.sh[3887]: 09:39:59,785 INFO [stdout] (default task-2)
SpNegoContext.acceptSecContext: mechanism wanted = 1.2.840.113554.1.2.2
standalone.sh[3887]: 09:39:59,785 INFO [stdout] (default task-2)
SpNegoContext.acceptSecContext: negotiated result = ACCEPT_COMPLETE
standalone.sh[3887]: 09:39:59,786 INFO [stdout] (default task-2)
SpNegoContext.acceptSecContext: sending token of type = SPNEGO NegTokenTarg
standalone.sh[3887]: 09:39:59,786 INFO [stdout] (default task-2)
SpNegoContext.acceptSecContext: sending token = a1 14 30 12 a0 03 0a 01
00 a1 0b 06 09 2a 86 48 86 f7 12 01 02 02
standalone.sh[3887]: 09:39:59,787 INFO [stdout] (default
task-2) [Krb5LoginModule]: Entering logout
standalone.sh[3887]: 09:39:59,788 INFO [stdout] (default
task-2) [Krb5LoginModule]: logged out Subject
standalone.sh[3887]: 09:39:59,970 WARN
[org.keycloak.connections.httpclient.DefaultHttpClientFactory] (default
task-2) Truststore is disabled
standalone.sh[3887]: 09:40:00,286 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-2) Failed to make identity provider oauth callback:
org.keycloak.broker.provider.IdentityBrokerException: No access_token
from server.
standalone.sh[3887]: at
org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:482)
standalone.sh[3887]: at
org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:350)
standalone.sh[3887]: at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:420)
standalone.sh[3887]: at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
standalone.sh[3887]: at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
standalone.sh[3887]: at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
standalone.sh[3887]: at java.lang.reflect.Method.invoke(Method.java:498)
standalone.sh[3887]: at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
standalone.sh[3887]: at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:517)
standalone.sh[3887]: at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:406)
standalone.sh[3887]: at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:370)
standalone.sh[3887]: at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
standalone.sh[3887]: at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:372)
standalone.sh[3887]: at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:344)
standalone.sh[3887]: at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
standalone.sh[3887]: at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
standalone.sh[3887]: at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
standalone.sh[3887]: at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
standalone.sh[3887]: at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:440)
standalone.sh[3887]: at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
standalone.sh[3887]: at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
standalone.sh[3887]: at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
standalone.sh[3887]: at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
standalone.sh[3887]: at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
standalone.sh[3887]: at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
standalone.sh[3887]: at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
standalone.sh[3887]: at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
standalone.sh[3887]: at
javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
standalone.sh[3887]: at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
standalone.sh[3887]: at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
standalone.sh[3887]: at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
standalone.sh[3887]: at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
standalone.sh[3887]: at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
standalone.sh[3887]: at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
standalone.sh[3887]: at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
standalone.sh[3887]: at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
standalone.sh[3887]: at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
standalone.sh[3887]: at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
standalone.sh[3887]: at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
standalone.sh[3887]: at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
standalone.sh[3887]: at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
standalone.sh[3887]: at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
standalone.sh[3887]: at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
standalone.sh[3887]: at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
standalone.sh[3887]: at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
standalone.sh[3887]: at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
standalone.sh[3887]: at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
standalone.sh[3887]: at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
standalone.sh[3887]: at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
standalone.sh[3887]: at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
standalone.sh[3887]: at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
standalone.sh[3887]: at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
standalone.sh[3887]: at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
standalone.sh[3887]: at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
standalone.sh[3887]: at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
standalone.sh[3887]: at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
standalone.sh[3887]: at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
standalone.sh[3887]: at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
standalone.sh[3887]: at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
standalone.sh[3887]: at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
standalone.sh[3887]: at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
standalone.sh[3887]: at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
standalone.sh[3887]: at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
standalone.sh[3887]: at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
standalone.sh[3887]: at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
standalone.sh[3887]: at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
standalone.sh[3887]: at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
standalone.sh[3887]: at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
standalone.sh[3887]: at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
standalone.sh[3887]: at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
standalone.sh[3887]: at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
standalone.sh[3887]: at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
standalone.sh[3887]: at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
standalone.sh[3887]: at java.lang.Thread.run(Thread.java:748)
More information about the keycloak-user
mailing list