Defective token detected (Mechanism level: GSSHeader did not find the right tag

Securing applications
, ,
1

Hello there, i installed the keycloak server and generated some keytab on my win server machine. Also i configured the kerberos auth in keycloak web server, and after trying to auth via keberso getting this kind of errors:
WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-26) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.federation.kerberos.KerberosFederationProvider.authenticate(Kerberos
btw i used this keytab to get auth in krb client it says its good and auth gets authenticated by krbv5

Any advice? Help please=)

2

hi,

i got same error. same scenario.

did you solve the problem? how?

3

No( i didn’t.
Just decided to use ldaps instead of ceberos…
Sorry bro

4

I wouldn’t bother with this error too much, I got it as well, even when I got Kerberos working on my Keycloak instance, can you please check if your Kerberos provider has the same ServicePrincipalName you configured in your Kerberos configurations and on your keytab, and that it is registered to the same object as the binding for the keytab?

5

it means that kerberos failed and the client tries to use NTLM instead, which keycloak doesnt supports.

you need to check why it fails, you can use wireshark or any other tools.
my problem was that when i was trying to log in via kerberos, it popped up a login box.
so i started to troubleshoot the kerberos by using wireshark, you can see an example here: https://support.google.com/gsa/answer/6055171?hl=en#:~:text=To%20verify%20Kerberos%20is%20used,-Authenticate%3A%20Negotiate%20HTTP%20header.

you just need to install wireshark and put “kerberos” in the filter. in wireshark i saw that it gave me KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, after googling this error i found my problem:

make sure that the url “https://” and the hostname that you use for the spn “HTTP/” are configured in that part.

1 Like
6

Still I have this issue, any solution for this?

7

Hi!

In my case the problem was mismatching between the service user SPN in Active Directory and the FQDN of host where the Keycloak server has been located. The important items to pay attention:

  • SPN for a service user must match to FQDN of server;
  • clients should use an FQDN in URL’s (not the host short names);
  • IP-address of server in DNS reverse zone should be resolved exactly to mentioned FQDN.

In our case we tried to use just an alias in DNS, and SPN contained this alias. Clients also used this alias in their URL’s; however, trying to ask a service ticket from the KDC they used a real server name (discovered from the DNS reverse zone). KDC replied them with mentioned above error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, and then they tried to authenticate to Keycloak via NTLM (that Keycloak does not support), resulting to “Defective token detected” message.

Additional note: if it’s really necessary to service several FQDN’s (for example, real server name and alias; or node name and cluster resource name in cluster configuration), then it’s necessary:

  • create a separate service user for each FQDN, each with the appropriate SPN;
  • join together keytab-files for all these service users (as described, for example, here);
  • use this combined keytab-file in Keycloak.