Setup: Keycloak OpenJDK behind a loadbalancer with stickyness and with TLS offload on CentOS 8.4 in domain mode with a MariaDB Cluster behind a loadbalancer with sitckyness. Keycloak is run as a certain user.
The LDAP integration works without flaws an we wanted to expand to Kerberos so I installed the ipaclient from the repos.
Keytab file was generated with the same commands as when we use the kerberos module for Apache.
When enabling Debugging the Error 2021-09-20 08:04:40,112 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-63) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC) ist thrown. That should point to invalid permissions or a missing keytab file. After controlling the permissions we tried kinit and klist and both seem to work.
sudo -u UserWhoRunsKeycloak kinit HTTP/NameOfKeycloakServer@NameOfRealm -kt /etc/krb5.keytab
sudo -u UserWhoRunsKeycloak klist -eaf
Ticket cache: KCM:50005:54163
Default principal: HTTP/NameOfKeycloakServer@NameOfRealm
Valid starting Expires Service principal
09/20/2021 08:28:34 09/20/2021 18:28:34 krbtgt/NameOfRealm@NameOfRealm
renew until 09/27/2021 08:28:34, Flags: FRIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
The values from kinit are the same as in the Keycloak GUI. krb5.conf also seems to be right, because kinit is working as expected.
I can’t see any network connection leaving the Keycloak server when trying to authenticate with Kerberos, what makes me think, that something is configured completeley wrong or I am missing something to configure. I also tried a Kerberos User Federation but without luck and with the same error message.