We are currently trying to configure Keycloak to provide Kerberos authentication to users from our corporate Active Directory. But right now, we are stuck on this issue.
We have apparently followed all the steps from the Server Administration Guide, but we still can’t get it to work.
I’m trying to diagnose the problem from a Linux Mint workstation, where I have kerberos client installed and configured. I can issue a TGT, and that seems to be in good shape.
$ kinit -S HTTP/sso.tst.tjpr.jus.br jhem@TJPR.NET ## enter login credentials $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: jhem@TJPR.NET Valid starting Expires Service principal 08/24/2020 21:47:07 08/25/2020 07:47:07 HTTP/sso.tst.tjpr.jus.br@TJPR.NET renew until 08/25/2020 21:47:06
I have configured Firefox to use kerberos in our domain (sso.tst.tjpr.jus.br), as instructed here
I can also see some debugging messages from Firefox by enabling environment variables:
export NSPR_LOG_MODULES=negotiateauth:5 export NSPR_LOG_FILE=/dev/stdout
At this point, when trying to authenticate, we see the error
Matching credential not found at the GSSAPI level from the firefox console:
$ firefox -P -new-instance Unable to create nspr log file '/dev/stdout.child-1' Unable to create nspr log file '/dev/stdout.child-2' Unable to create nspr log file '/dev/stdout.child-3' [Parent 390426: Main Thread]: D/negotiateauth service = sso.tst.tjpr.jus.br [Parent 390426: Main Thread]: D/negotiateauth using negotiate-gss [Parent 390426: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::nsAuthGSSAPI() [Parent 390426: Main Thread]: D/negotiateauth Attempting to load gss functions [Parent 390426: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::Init() [Parent 390426: BgIOThreadPool #1]: D/negotiateauth nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] [Parent 390426: BgIOThreadPool #1]: D/negotiateauth entering nsAuthGSSAPI::GetNextToken() [Parent 390426: BgIOThreadPool #1]: D/negotiateauth gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information Matching credential not found (filename: /tmp/krb5cc_1000) [Parent 390426: BgIOThreadPool #1]: D/negotiateauth leaving nsAuthGSSAPI::GetNextToken [rv=80004005] Unable to create nspr log file '/dev/stdout.child-4'
The Kerberos ticket is never sent to via HTTP Authenticate header, so we get back to the login screen.
Can anyone give us a clue as to what exactly that message means?