Hi,
I’m new to Keycloak and I’m having trouble getting it to work with Kerberos auth.
I’m using Docker hosted Keycloak server with a working realm. In this realm, I have several client configured with openid that are working fine.
I use a LDAP federation, wich is provided by a Samba 4 AD domain. Users can login to my clients using their LDAP username and password without any issue.
I am now trying to get Kerberos login working from browsers. No matter what I try, I always end with the same error in Keycloak logs : GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Here is my LDAP and Kerberos configuration:
And here is an output of kinit using my keytab:
root@srv3team223:~/keycloak# kinit -V -k -t keycloak.keytab HTTP/keycloak.cross@PUBLIC.****.COM
Using default cache: /tmp/krb5cc_0
Using principal: HTTP/keycloak.cross@PUBLIC.****.COM
Using keytab: keycloak.keytab
Authenticated to Kerberos v5
Every time I try to authenticate, I get this error in Keycloak log, and I’m redirected to the login form (where I can use my LDAP credentials successfully):
keycloak_1 | 07:54:23,290 INFO [stdout] (default task-75) principal is HTTP/keycloak.cross@PUBLIC.****.COM
keycloak_1 | 07:54:23,292 INFO [stdout] (default task-75) Will use keytab
keycloak_1 | 07:54:23,293 INFO [stdout] (default task-75) Commit Succeeded
keycloak_1 | 07:54:23,294 INFO [stdout] (default task-75)
keycloak_1 | 07:54:23,301 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-75) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Could you help me solving this ? I don’t really know how to find more informations about my error…