Kerberos error - GSSHeader did not find the right tag


I’m new to Keycloak and I’m having trouble getting it to work with Kerberos auth.
I’m using Docker hosted Keycloak server with a working realm. In this realm, I have several client configured with openid that are working fine.

I use a LDAP federation, wich is provided by a Samba 4 AD domain. Users can login to my clients using their LDAP username and password without any issue.

I am now trying to get Kerberos login working from browsers. No matter what I try, I always end with the same error in Keycloak logs : GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

Here is my LDAP and Kerberos configuration:

And here is an output of kinit using my keytab:

root@srv3team223:~/keycloak# kinit -V -k -t keycloak.keytab HTTP/keycloak.cross@PUBLIC.****.COM
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/keycloak.cross@PUBLIC.****.COM
Using keytab: keycloak.keytab
Authenticated to Kerberos v5

Every time I try to authenticate, I get this error in Keycloak log, and I’m redirected to the login form (where I can use my LDAP credentials successfully):

keycloak_1  | 07:54:23,290 INFO  [stdout] (default task-75) principal is HTTP/keycloak.cross@PUBLIC.****.COM
keycloak_1  | 07:54:23,292 INFO  [stdout] (default task-75) Will use keytab
keycloak_1  | 07:54:23,293 INFO  [stdout] (default task-75) Commit Succeeded
keycloak_1  | 07:54:23,294 INFO  [stdout] (default task-75)
keycloak_1  | 07:54:23,301 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-75) SPNEGO login failed: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

Could you help me solving this ? I don’t really know how to find more informations about my error…

I used to have the same issue and did research for long time.

Did you setup your browser to trust the keycloak url for nego-auth?

the setting should be in firefox under network.negotiate-auth.trusted-uris

How the process should works:

  1. client ask for resource
  2. Keycloak sends 401 status code with header: “www-authenticate” Value: “Negotiate”
  3. Then you start the process of the authentication

if you don’t trust the site with negotiate you will never start the process.
This should solve your problem.


I finally found the answer and am leaving it here, just in case it could help someone.

The problem seems to be that I was hosting my service at an address just under my tld : “keycloak.cross”.
When I was trying to add this url to the Intranet zone, through the Internet Options panel, it was always added as “*.keycloak.cross”. Adding it in the Firefox network.“negociate-auth.trusted-uris” option didn’t do anything either.

I then tried to move my Keycloak server to the “account.keycloak.cross” URL, regenerated my keytab and set this address for Edge, Chrome and Firefox. Everything is now working flawlessly.


Still I have this issue, do anyone found solution for this?