[KERBEROS][SSO][WINDOWS AD] KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException

Hi

I’m trying to implement keycloak:12.0.4 under kubernetes to be able to authenticate to an application from my windows session on an AD domain member PC. I would like to leverage kerberos to have an SSO login.

My AD domain is coolcorp.priv

I have created a svc-key-sso service account in the directory

I have created a keytab via the following command

ktpass -out keycloak.keytab -princ HTTP/keycloak.coolcorp.priv@COOLCORP.PRIV -mapUser svc-key-sso@coolcorp.priv -pass mypassword -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

My keycloak server responds to the URL https://keycloak.coolcorp.priv

I was able to successfully configure an LDAP provider and import my users.
I have activated the Kerberos integration

Kerberos Realm: COOLCORP.PRIV

Server Principal: HTTP/keycloak.coolcorp.priv@COOLCORP.PRIV

KeyTab: /etc/config/keycloak.keytab

Use Kerberos For Password

In the authentication menu, if I leave kerberos and cookie as alternatives, I can authenticate with my AD account.

However, if I force kerberos and cookie, I get the following error message when I try to authenticate.

20:07:00,466 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR, realmId=coolcorp, clientId=account-console, userId=null, ipAddress=192.168.10.45, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://keycloak.coolcorp.priv/auth/realms/coolcorp/account/#/, code_id=ef18b002-b691-4b34-aa42-40fa3cf8279d, response_mode=fragment, authSessionParentId=ef18b002-b691-4b34-aa42-40fa3cf8279d, authSessionTabId=9QddNNi2b2U
20:07:05,149 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-26) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [identity-provider-redirector]
20:07:05,150 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-26) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [identity-provider-redirector]
20:07:05,150 WARN [org.keycloak.services] (default task-26) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException

I tried a lot of settings. I can’t get kerberos/SSO to work

Could you help me or tell me what I could have missed.

Thanks