Keycloak Connecting to MSAD LDAP Over SSL

gsmith · April 2, 2020, 12:00am

Unable to Connect to MSAD LDAP over SSL

Server Info:
Server Version 9.0.2 Standalone
Server Profile: Community
Operating System: CentOS 7 minimal Latest Virtual Machine 4 CPU, 6GB Memory, and 100GB Storage.
Java Version 1.8.0_242
Created a Service account on MSAD with Administrator Rights for Read/Write to User/s OU.

My issue is I need to write Password/Login Name attributes back to MSAD from Keycloak. The only way I see this happening is to enable LDAP over SSL.
My Active Directory contains a CA, Keycloak is configured to use Self-Signed certs with Nginx reverse proxy.

“User Federation” configuration and test connection:

“User Federation” configuration and test authentication:

Error shownin server.log.

I used the following link to configure my truststore.

https://www.keycloak.org/docs/latest/server_admin/#groups

And the SPI I added in the standalone.xml :

       >  <spi name="truststore">

          <provider name="file" enabled="true">
            <properties>
              <property name="file" 
               value="/opt/keycloak/keycloak.9.0.2/keystores/truststore.jks" />
              <property name="password" value="secret" />
              <property name="hostname-verification-policy" value="WILDCARD"/>
              <property name="disabled" value="false"/>
            </properties>
          </provider>
        </spi>

Certs in KeyStore as follow;

I’m unsure what to do at this point.
What I’ve tried was installing CA from MSAD to keycloak.Then I tried Installing Certs from Keycloak to MSAD, No joy.
During my research I have found the same problem as others had, but there solution gave me the same results.
Any advice or direction would be apperciated.
Thanks in advance

florian · April 3, 2020, 7:48am

Thank for posting that issue! I have the exact same issue you have and can’t get it to work.
I could add, that I tried to use different certificate formats to put it into the truststore

base64
der
and I also tried to insert the full chain to the truststore.
–> no success so far! I would love to fix that!

Taro · April 3, 2020, 4:36pm

Hello,

My suggestion to check whther an appropriate certificate was imported into truststore is below.
[1] openssl s_client -connect <ldap server’s IP>:636
[2] copy a part of result starting from “-----BEGIN CERTIFICATE-----” to “-----END CERTIFICATE-----” . (This is aiming for the creation of ldap certificate.)
[3] paste it into a file with extension .cer.
[4] check whether each serial number in certificates between the imported one and the creation at step3 is the same.
[5] if not, import it into the truststore.
[6] restart keycloak service and try it again.

Regards,
Taro

gsmith · April 4, 2020, 3:26am

@Taro
Thank you for the reply, and I did as you suggested.

Executed “openssl s_client -connect <ldap server’s IP>:636”

2.paste it into a file with extension .cer made file called " Keycloak.cer" and imported it into the truststore.

Restarted keycloak, I have debuging on and no errors shown. I’m only get a error now when I test the Authentication on th Web UI.

Here are the log when i press Test Authentication

Not sure what i could be doing wrong. I went back over this documnetation.

https://www.keycloak.org/docs/latest/server_installation/#enabling-ssl-https-for-the-keycloak-server

And to figure out what I may have done wrong, no joy.

gist.github.com

https://gist.github.com/magnetikonline/0ccdabfec58eb1929c997d22e7341e45

README.md

# Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers

Microsoft active directory servers will default to offer LDAP connections over *unencrypted* connections (boo!).

The steps below will create a new self signed certificate appropriate for use with and thus enabling LDAPS for an AD server. Of course the "self-signed" portion of this guide can be swapped out with a real vendor purchased certificate if required.

Steps have been tested successfully with Windows Server 2012R2, but *should* work with Windows Server 2008 without modification. Requires a working OpenSSL install (ideally Linux/OSX) and (obviously) a Windows Active Directory server.

- [Create root certificate](#create-root-certificate)
- [Import root certificate into trusted store of domain controller](#import-root-certificate-into-trusted-store-of-domain-controller)

This file has been truncated. show original

Taro · April 4, 2020, 4:54pm

Hello gsmith,

Thank you for your time on the test.
From the message “No truststore provider found - using default SSLSocketFactory”, it seems the truststore(keycloak.jks) is not specified in standalone.xml, but did you specify it in standalone.xml like previous?
https://www.keycloak.org/docs/latest/server_installation/#_truststore
Taro

gsmith · April 6, 2020, 9:54pm

@Taro
Unfortunately when I tried that I received an error " No trustedstore provider Found- using default SSLSocketFactory"
I went back to my JAVA keystore ( cacerts) and imported my CA.cer, restarted services, this gave me a connection, but I still dont know why I wasnt able to change or redirect to a new keystore.

Thank you for your time, much appreciated.

claudioweiler · April 13, 2020, 6:38pm

The page https://www.keycloak.org/docs/latest/server_installation/#enabling-ssl-https-for-the-keycloak-server tells about how to secure server using ssl, so I assume that it do not use the configured keystore as truststore.
The preferred way of using truststore should be to add certificate to cacerts (or jssecacerts). Or you can start with -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword.

gsmith · April 17, 2020, 2:31am

@claudioweiler
Thank you for the reply, much apperciated.
I have tried what you stated, and I was still unable to change Keystore.
I executed this;

https://www.keycloak.org/docs/latest/server_installation/#configure-keycloak-to-use-the-keystore

Keycloak still shows errors as I stated from above. Still unable to change keystore location. Right now I can only use Java Keystore (cacerts) on centOS 7.
I wonder if its because i have Nginx Reverse Proxy?

ema07cqc · April 24, 2020, 9:10pm

im using v8.0.2 on docker and i have the same issue.
made the same steps you did

regards.

claudioweiler · April 30, 2020, 7:27pm

If it works with cacerts, then truststore and certificate validation is ok.

But, again, your link is about securing server, not about truststore, correct link is https://www.keycloak.org/docs/latest/server_installation/#_truststore

gsmith · September 16, 2020, 3:55am

@claudioweiler
I solved my issue. This issue was in my standalone.xml. Instead of copy -n paste I typed it out, and by some dark magic it worked. Think I was trying to hard and over looked my mistake. Thank you for your reply.

lomrotem · April 26, 2021, 8:19am

@gsmith I think I have the same issue.
Can you explain the way to the solution? or maybe to explain the flow?
There are a lot of people who ask about the same point

gsmith · April 27, 2021, 1:43am

@lomrotem
Hello,

Its been a while but just to brief you on what I did was.

Creating Certificates was the first thing I did.
In my notes, I used these instructions.

Enable LDAP over SSL (LDAPS) for Microsoft

Next I configured used these instructions.

Outgoing HTTPS Request Truststore

I had to set the security-realms to my trusted store, make sure you dont Copy & paste , that was what my issue was.
I have Keycloak as a service on my server so all I had to do is systemctl restart keycloak and then fill out User Federation with LDAPS.
Hope that helps

vinayus · February 24, 2022, 3:53am

Is there a kubernetes way of handling this?
Via initcontainer and secret or any other way?

gsmith · February 24, 2022, 4:57am

Not that I know of, but I haven’t used Docker or any type of container.

Topic		Replies	Views
Connect keycloak to LDAP over SSL Configuring the server ldap	21	34717	October 3, 2024
LDAP authentication over SSL not working Configuring the server authentication , ldap	3	1745	April 26, 2023
Keycloak 13.01 LDAPS Authentication Issue Configuring the server ldap	0	354	May 27, 2021
LDAP authentication failed Configuring the server ldap	0	738	April 23, 2021
Configuring SSL with Active Directory Federation Securing applications authentication	0	416	November 30, 2022

Keycloak Connecting to MSAD LDAP Over SSL

Related topics