Hi,
We have deployed Keycloak on Kubernetes and trying to configure Kerberos SSO with our Active Directory. We are getting the following exception when trying Kerberos authentication.
2022-08-08 13:47:53,326 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-2) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.base/java.security.AccessController.doPrivileged(Native Method)
Our Setup:-
We have Load balancer in front of Nginx Ingress Controller which is in turn in front of our Keycloak kubernetes pods
So something like this :- User → mykc.myorg.com → Ingress Controller → keycloak server pods
We have configured the principal as :- HTTP/mykc.myorg.com@SUBDOMAIN.DOMAIN.COM
Deployed kerberos client in keycloak image using
RUN microdnf install krb5-workstation krb5-libs -y
Added krb5.conf file in keycloak pods with following
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
#default_realm = EXAMPLE.COM
default_realm = DOMAIN.SUBDOMAIN.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
DOMAIN.SUBDOMAIN.COM = {
kdc = HOST.SUBDOMAIN.DOMAIN.COM
admin_server = HOST.SUBDOMAIN.DOMAIN.COM
}
[domain_realm]
.domain.subdomain.com = HOST.SUBDOMAIN.DOMAIN.COM
domain.subdomain.com = HOST.SUBDOMAIN.DOMAIN.COM
We are using LDAP User federation and appropriate kerberos settings are configured for realm, keytab file and principal
Keytab file is copied in conf folder
We enabled debug and trace as well, but its not giving much details apart from the error mentioned above.
Anything else needs to be done ? Are the installation configuration steps correct ? Any pointers will be appreciated.