Kerberos authentication - Matching credential not found

juliohm1978 · August 25, 2020, 1:21am

Greetings,

We are currently trying to configure Keycloak to provide Kerberos authentication to users from our corporate Active Directory. But right now, we are stuck on this issue.

We have apparently followed all the steps from the Server Administration Guide, but we still can’t get it to work.

I’m trying to diagnose the problem from a Linux Mint workstation, where I have kerberos client installed and configured. I can issue a TGT, and that seems to be in good shape.

$ kinit -S HTTP/sso.tst.tjpr.jus.br jhem@TJPR.NET
## enter login credentials

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: jhem@TJPR.NET

Valid starting       Expires              Service principal
08/24/2020 21:47:07  08/25/2020 07:47:07  HTTP/sso.tst.tjpr.jus.br@TJPR.NET
	renew until 08/25/2020 21:47:06

I have configured Firefox to use kerberos in our domain (sso.tst.tjpr.jus.br), as instructed here

I can also see some debugging messages from Firefox by enabling environment variables:

export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/dev/stdout

At this point, when trying to authenticate, we see the error Matching credential not found at the GSSAPI level from the firefox console:

$ firefox -P -new-instance
Unable to create nspr log file '/dev/stdout.child-1'
Unable to create nspr log file '/dev/stdout.child-2'
Unable to create nspr log file '/dev/stdout.child-3'
[Parent 390426: Main Thread]: D/negotiateauth   service = sso.tst.tjpr.jus.br
[Parent 390426: Main Thread]: D/negotiateauth   using negotiate-gss
[Parent 390426: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::nsAuthGSSAPI()
[Parent 390426: Main Thread]: D/negotiateauth Attempting to load gss functions
[Parent 390426: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::Init()
[Parent 390426: BgIOThreadPool #1]: D/negotiateauth nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]
[Parent 390426: BgIOThreadPool #1]: D/negotiateauth entering nsAuthGSSAPI::GetNextToken()
[Parent 390426: BgIOThreadPool #1]: D/negotiateauth gss_init_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information
Matching credential not found (filename: /tmp/krb5cc_1000)

[Parent 390426: BgIOThreadPool #1]: D/negotiateauth   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]
Unable to create nspr log file '/dev/stdout.child-4'

The Kerberos ticket is never sent to via HTTP Authenticate header, so we get back to the login screen.

Can anyone give us a clue as to what exactly that message means?

Best regards.

juliohm1978 · August 28, 2020, 6:08pm

We finally managed to move forward by enabling more debug messages from the kerberos client.

export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/dev/stdout
export NSPR_LOG_FILE=/dev/stdout
export KRB5_TRACE=/dev/stdout

Enabling KRB5_TRACE environment variable before staring Firefox gives out a lot more debugging messages. We were able to verify that the SPN name did not match the domain name of the web site.

This is especially true if the IDP domain name is a CNAME to another A record in your DNS server. The SPN name must match A records for the authentication domain.

Topic		Replies	Views
Kerberos Integration with LDAP failing Getting advice	3	746	November 4, 2021
Kerberos error - GSSHeader did not find the right tag Configuring the server	3	4503	May 4, 2021
Defective token detected (Mechanism level: GSSHeader did not find the right tag Securing applications adapter-java , authentication , saml	6	13783	November 24, 2021
Kerberos authentication from within Keycloak container image Getting advice authentication	0	1662	August 9, 2022
Error 400 when trying to reset user password on Red Hat SSO 7.3 (Keycloak) with Java API Getting advice authentication	0	1202	December 27, 2020

Kerberos authentication - Matching credential not found

Related Topics