Keycloak Connecting to MSAD LDAP Over SSL

Unable to Connect to MSAD LDAP over SSL

Server Info:
Server Version 9.0.2 Standalone
Server Profile: Community
Operating System: CentOS 7 minimal Latest Virtual Machine 4 CPU, 6GB Memory, and 100GB Storage.
Java Version 1.8.0_242
Created a Service account on MSAD with Administrator Rights for Read/Write to User/s OU.

My issue is I need to write Password/Login Name attributes back to MSAD from Keycloak. The only way I see this happening is to enable LDAP over SSL.
My Active Directory contains a CA, Keycloak is configured to use Self-Signed certs with Nginx reverse proxy.

“User Federation” configuration and test connection:

“User Federation” configuration and test authentication:

Error shownin server.log.

I used the following link to configure my truststore.

https://www.keycloak.org/docs/latest/server_admin/#groups

And the SPI I added in the standalone.xml :

       >  <spi name="truststore">
          <provider name="file" enabled="true">
            <properties>
              <property name="file" 
               value="/opt/keycloak/keycloak.9.0.2/keystores/truststore.jks" />
              <property name="password" value="secret" />
              <property name="hostname-verification-policy" value="WILDCARD"/>
              <property name="disabled" value="false"/>
            </properties>
          </provider>
        </spi>

Certs in KeyStore as follow;

I’m unsure what to do at this point.
What I’ve tried was installing CA from MSAD to keycloak.Then I tried Installing Certs from Keycloak to MSAD, No joy.
During my research I have found the same problem as others had, but there solution gave me the same results.
Any advice or direction would be apperciated.
Thanks in advance

1 Like

Thank for posting that issue! I have the exact same issue you have and can’t get it to work.
I could add, that I tried to use different certificate formats to put it into the truststore

  • base64
  • der
    and I also tried to insert the full chain to the truststore.
    –> no success so far! I would love to fix that!
2 Likes

Hello,

My suggestion to check whther an appropriate certificate was imported into truststore is below.
[1] openssl s_client -connect <ldap server’s IP>:636
[2] copy a part of result starting from “-----BEGIN CERTIFICATE-----” to “-----END CERTIFICATE-----” . (This is aiming for the creation of ldap certificate.)
[3] paste it into a file with extension .cer.
[4] check whether each serial number in certificates between the imported one and the creation at step3 is the same.
[5] if not, import it into the truststore.
[6] restart keycloak service and try it again.

Regards,
Taro

@Taro
Thank you for the reply, and I did as you suggested.

  1. Executed “openssl s_client -connect <ldap server’s IP>:636”

2.paste it into a file with extension .cer made file called " Keycloak.cer" and imported it into the truststore.

  1. Restarted keycloak, I have debuging on and no errors shown. I’m only get a error now when I test the Authentication on th Web UI.

Here are the log when i press Test Authentication

Not sure what i could be doing wrong. I went back over this documnetation.

https://www.keycloak.org/docs/latest/server_installation/#enabling-ssl-https-for-the-keycloak-server

And to figure out what I may have done wrong, no joy.

Hello gsmith,

Thank you for your time on the test.
From the message “No truststore provider found - using default SSLSocketFactory”, it seems the truststore(keycloak.jks) is not specified in standalone.xml, but did you specify it in standalone.xml like previous?
https://www.keycloak.org/docs/latest/server_installation/#_truststore
Taro

@Taro
Unfortunately when I tried that I received an error " No trustedstore provider Found- using default SSLSocketFactory"
I went back to my JAVA keystore ( cacerts) and imported my CA.cer, restarted services, this gave me a connection, but I still dont know why I wasnt able to change or redirect to a new keystore.

Thank you for your time, much appreciated.

The page https://www.keycloak.org/docs/latest/server_installation/#enabling-ssl-https-for-the-keycloak-server tells about how to secure server using ssl, so I assume that it do not use the configured keystore as truststore.
The preferred way of using truststore should be to add certificate to cacerts (or jssecacerts). Or you can start with -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword.

@claudioweiler
Thank you for the reply, much apperciated.
I have tried what you stated, and I was still unable to change Keystore.
I executed this;

https://www.keycloak.org/docs/latest/server_installation/#configure-keycloak-to-use-the-keystore

Keycloak still shows errors as I stated from above. Still unable to change keystore location. Right now I can only use Java Keystore (cacerts) on centOS 7.
I wonder if its because i have Nginx Reverse Proxy?

1 Like

im using v8.0.2 on docker and i have the same issue.
made the same steps you did :frowning:

regards.

If it works with cacerts, then truststore and certificate validation is ok.

But, again, your link is about securing server, not about truststore, correct link is https://www.keycloak.org/docs/latest/server_installation/#_truststore

@claudioweiler
I solved my issue. This issue was in my standalone.xml. Instead of copy -n paste I typed it out, and by some dark magic it worked. Think I was trying to hard and over looked my mistake. Thank you for your reply.

@gsmith I think I have the same issue.
Can you explain the way to the solution? or maybe to explain the flow?
There are a lot of people who ask about the same point

@lomrotem
Hello,

Its been a while but just to brief you on what I did was.

Creating Certificates was the first thing I did.
In my notes, I used these instructions.

Enable LDAP over SSL (LDAPS) for Microsoft

Next I configured used these instructions.

Outgoing HTTPS Request Truststore

I had to set the security-realms to my trusted store, make sure you dont Copy & paste , that was what my issue was.
I have Keycloak as a service on my server so all I had to do is systemctl restart keycloak and then fill out User Federation with LDAPS.
Hope that helps

1 Like