Kerberos Integration with LDAP failing

mwagner · September 20, 2021, 6:52am

Setup: Keycloak OpenJDK behind a loadbalancer with stickyness and with TLS offload on CentOS 8.4 in domain mode with a MariaDB Cluster behind a loadbalancer with sitckyness. Keycloak is run as a certain user.
The LDAP integration works without flaws an we wanted to expand to Kerberos so I installed the ipaclient from the repos.
Keytab file was generated with the same commands as when we use the kerberos module for Apache.
When enabling Debugging the Error 2021-09-20 08:04:40,112 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-63) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC) ist thrown. That should point to invalid permissions or a missing keytab file. After controlling the permissions we tried kinit and klist and both seem to work.
sudo -u UserWhoRunsKeycloak kinit HTTP/NameOfKeycloakServer@NameOfRealm -kt /etc/krb5.keytab
sudo -u UserWhoRunsKeycloak klist -eaf
Ticket cache: KCM:50005:54163
Default principal: HTTP/NameOfKeycloakServer@NameOfRealm

Valid starting Expires Service principal
09/20/2021 08:28:34 09/20/2021 18:28:34 krbtgt/NameOfRealm@NameOfRealm
renew until 09/27/2021 08:28:34, Flags: FRIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Addresses: (none)
The values from kinit are the same as in the Keycloak GUI. krb5.conf also seems to be right, because kinit is working as expected.
I can’t see any network connection leaving the Keycloak server when trying to authenticate with Kerberos, what makes me think, that something is configured completeley wrong or I am missing something to configure. I also tried a Kerberos User Federation but without luck and with the same error message.

douglasawh · November 3, 2021, 9:52pm

I think this only works with browser flow, but I am trying to do this over curl and get a different error, so it might be a different issue. You need to make sure the Kerberos key is forwardable, if you are using Kerberos on both sides.

mwagner · November 4, 2021, 4:01pm

I am trying to get this working with Browser flow and i am running out of ideas, why kinit and klist are working and if i try this in the browser flow, not even the request to the AD leaves the server. Checked with tcpdump. We already merged the keytab Files for the DNS of the Load-balanced Servername and the real Servernames, but still, no cennections leaves the Keycloak Server. While debugging i can see, that Keycloak uses the right krb5.conf and the specified keytab File.

douglasawh · November 4, 2021, 11:30pm

So, I said I get a different error, but we actually solved out issue, at least partially.

This is the kinit line we ran to get it working:
kinit --forwardable dwhitfield@IPA.TEST

The problem we still have is a topology I don’t think keycloak supports where we have another app sitting between keycloak and kafka and trying to pass the kerberos key through that. But I think what you are trying to do we got working.

Topic		Replies	Views
Defective token detected (Mechanism level: GSSHeader did not find the right tag Securing applications adapter-java , authentication , saml	6	13794	November 24, 2021
Kerberos error - GSSHeader did not find the right tag Configuring the server	3	4512	May 4, 2021
Kerberos authentication from within Keycloak container image Getting advice authentication	0	1665	August 9, 2022
Keycloak does not work behind a load balancer Configuring the server admin-console	2	1398	August 6, 2021
Kerberos authentication - Matching credential not found Securing applications authentication	1	5575	August 28, 2020

Kerberos Integration with LDAP failing

Related Topics