[KERBEROS][SSO][WINDOWS AD] KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException

bvivi57 · March 25, 2021, 8:22pm

Hi

I’m trying to implement keycloak:12.0.4 under kubernetes to be able to authenticate to an application from my windows session on an AD domain member PC. I would like to leverage kerberos to have an SSO login.

My AD domain is coolcorp.priv

I have created a svc-key-sso service account in the directory

I have created a keytab via the following command

ktpass -out keycloak.keytab -princ HTTP/keycloak.coolcorp.priv@COOLCORP.PRIV -mapUser svc-key-sso@coolcorp.priv -pass mypassword -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1

My keycloak server responds to the URL https://keycloak.coolcorp.priv

I was able to successfully configure an LDAP provider and import my users.
I have activated the Kerberos integration

Kerberos Realm: COOLCORP.PRIV

Server Principal: HTTP/keycloak.coolcorp.priv@COOLCORP.PRIV

KeyTab: /etc/config/keycloak.keytab

Use Kerberos For Password

In the authentication menu, if I leave kerberos and cookie as alternatives, I can authenticate with my AD account.

However, if I force kerberos and cookie, I get the following error message when I try to authenticate.

20:07:00,466 WARN [org.keycloak.events] (default task-21) type=LOGIN_ERROR, realmId=coolcorp, clientId=account-console, userId=null, ipAddress=192.168.10.45, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://keycloak.coolcorp.priv/auth/realms/coolcorp/account/#/, code_id=ef18b002-b691-4b34-aa42-40fa3cf8279d, response_mode=fragment, authSessionParentId=ef18b002-b691-4b34-aa42-40fa3cf8279d, authSessionTabId=9QddNNi2b2U
20:07:05,149 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-26) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [identity-provider-redirector]
20:07:05,150 WARN [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-26) REQUIRED and ALTERNATIVE elements at same level! Those alternative executions will be ignored: [identity-provider-redirector]
20:07:05,150 WARN [org.keycloak.services] (default task-26) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException

I tried a lot of settings. I can’t get kerberos/SSO to work

Could you help me or tell me what I could have missed.

Thanks

sirribakirtan · February 21, 2023, 7:22am

Dİd you find anything?

Topic		Replies	Views
Keycloak with LDAP or AD providing SSO for a App Publishing Application Getting advice	1	479	May 14, 2020
Help with keycloak as idp Configuring the server oidc , saml	0	619	February 22, 2022
Trying to integrate Keycloak + Azure AD + AWS for SSO Login	1	669	April 9, 2022
IDP initiated SSO from ADFS (Active Directory Federation Service) to Keycloak is having error Getting advice authentication , identity-brokering , user-federation , saml	2	570	November 17, 2023
Keycloak SSSD Federation with Idm Configuring the server authentication	0	75	March 22, 2024

[KERBEROS][SSO][WINDOWS AD] KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException

Related Topics