Defective token detected (Mechanism level: GSSHeader did not find the right tag

Hello there, i installed the keycloak server and generated some keytab on my win server machine. Also i configured the kerberos auth in keycloak web server, and after trying to auth via keberso getting this kind of errors:
WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-26) SPNEGO login failed: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at Method)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(
at org.keycloak.federation.kerberos.KerberosFederationProvider.authenticate(Kerberos
btw i used this keytab to get auth in krb client it says its good and auth gets authenticated by krbv5

Any advice? Help please=)


i got same error. same scenario.

did you solve the problem? how?

No( i didn’t.
Just decided to use ldaps instead of ceberos…
Sorry bro

I wouldn’t bother with this error too much, I got it as well, even when I got Kerberos working on my Keycloak instance, can you please check if your Kerberos provider has the same ServicePrincipalName you configured in your Kerberos configurations and on your keytab, and that it is registered to the same object as the binding for the keytab?

it means that kerberos failed and the client tries to use NTLM instead, which keycloak doesnt supports.

you need to check why it fails, you can use wireshark or any other tools.
my problem was that when i was trying to log in via kerberos, it popped up a login box.
so i started to troubleshoot the kerberos by using wireshark, you can see an example here:,-Authenticate%3A%20Negotiate%20HTTP%20header.

you just need to install wireshark and put “kerberos” in the filter. in wireshark i saw that it gave me KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, after googling this error i found my problem:

make sure that the url “https://” and the hostname that you use for the spn “HTTP/” are configured in that part.

Still I have this issue, any solution for this?