Kerberos authentication - Matching credential not found


We are currently trying to configure Keycloak to provide Kerberos authentication to users from our corporate Active Directory. But right now, we are stuck on this issue.

We have apparently followed all the steps from the Server Administration Guide, but we still can’t get it to work.

I’m trying to diagnose the problem from a Linux Mint workstation, where I have kerberos client installed and configured. I can issue a TGT, and that seems to be in good shape.

$ kinit -S HTTP/ jhem@TJPR.NET
## enter login credentials

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: jhem@TJPR.NET

Valid starting       Expires              Service principal
08/24/2020 21:47:07  08/25/2020 07:47:07  HTTP/
	renew until 08/25/2020 21:47:06

I have configured Firefox to use kerberos in our domain (, as instructed here

I can also see some debugging messages from Firefox by enabling environment variables:

export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/dev/stdout

At this point, when trying to authenticate, we see the error Matching credential not found at the GSSAPI level from the firefox console:

$ firefox -P -new-instance
Unable to create nspr log file '/dev/stdout.child-1'
Unable to create nspr log file '/dev/stdout.child-2'
Unable to create nspr log file '/dev/stdout.child-3'
[Parent 390426: Main Thread]: D/negotiateauth   service =
[Parent 390426: Main Thread]: D/negotiateauth   using negotiate-gss
[Parent 390426: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::nsAuthGSSAPI()
[Parent 390426: Main Thread]: D/negotiateauth Attempting to load gss functions
[Parent 390426: Main Thread]: D/negotiateauth entering nsAuthGSSAPI::Init()
[Parent 390426: BgIOThreadPool #1]: D/negotiateauth nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]
[Parent 390426: BgIOThreadPool #1]: D/negotiateauth entering nsAuthGSSAPI::GetNextToken()
[Parent 390426: BgIOThreadPool #1]: D/negotiateauth gss_init_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information
Matching credential not found (filename: /tmp/krb5cc_1000)

[Parent 390426: BgIOThreadPool #1]: D/negotiateauth   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]
Unable to create nspr log file '/dev/stdout.child-4'

The Kerberos ticket is never sent to via HTTP Authenticate header, so we get back to the login screen.

Can anyone give us a clue as to what exactly that message means?

Best regards.

We finally managed to move forward by enabling more debug messages from the kerberos client.

export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/dev/stdout
export NSPR_LOG_FILE=/dev/stdout
export KRB5_TRACE=/dev/stdout

Enabling KRB5_TRACE environment variable before staring Firefox gives out a lot more debugging messages. We were able to verify that the SPN name did not match the domain name of the web site.

This is especially true if the IDP domain name is a CNAME to another A record in your DNS server. The SPN name must match A records for the authentication domain.