Kerberos Integration with LDAP failing

Setup: Keycloak OpenJDK behind a loadbalancer with stickyness and with TLS offload on CentOS 8.4 in domain mode with a MariaDB Cluster behind a loadbalancer with sitckyness. Keycloak is run as a certain user.
The LDAP integration works without flaws an we wanted to expand to Kerberos so I installed the ipaclient from the repos.
Keytab file was generated with the same commands as when we use the kerberos module for Apache.
When enabling Debugging the Error 2021-09-20 08:04:40,112 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-63) SPNEGO login failed: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC) ist thrown. That should point to invalid permissions or a missing keytab file. After controlling the permissions we tried kinit and klist and both seem to work.
sudo -u UserWhoRunsKeycloak kinit HTTP/NameOfKeycloakServer@NameOfRealm -kt /etc/krb5.keytab
sudo -u UserWhoRunsKeycloak klist -eaf
Ticket cache: KCM:50005:54163
Default principal: HTTP/NameOfKeycloakServer@NameOfRealm

Valid starting Expires Service principal
09/20/2021 08:28:34 09/20/2021 18:28:34 krbtgt/NameOfRealm@NameOfRealm
renew until 09/27/2021 08:28:34, Flags: FRIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
Addresses: (none)
The values from kinit are the same as in the Keycloak GUI. krb5.conf also seems to be right, because kinit is working as expected.
I can’t see any network connection leaving the Keycloak server when trying to authenticate with Kerberos, what makes me think, that something is configured completeley wrong or I am missing something to configure. I also tried a Kerberos User Federation but without luck and with the same error message.

I think this only works with browser flow, but I am trying to do this over curl and get a different error, so it might be a different issue. You need to make sure the Kerberos key is forwardable, if you are using Kerberos on both sides.

I am trying to get this working with Browser flow and i am running out of ideas, why kinit and klist are working and if i try this in the browser flow, not even the request to the AD leaves the server. Checked with tcpdump. We already merged the keytab Files for the DNS of the Load-balanced Servername and the real Servernames, but still, no cennections leaves the Keycloak Server. While debugging i can see, that Keycloak uses the right krb5.conf and the specified keytab File.

So, I said I get a different error, but we actually solved out issue, at least partially.

This is the kinit line we ran to get it working:
kinit --forwardable dwhitfield@IPA.TEST

The problem we still have is a topology I don’t think keycloak supports where we have another app sitting between keycloak and kafka and trying to pass the kerberos key through that. But I think what you are trying to do we got working.