Hi, All!
I’m using mssql as a datasource for keycloak, and I use active directory login to access ths datasource. Auth protocol is kerberos.
When I start keycloak, it authenticates successfully, I see sessions on mssql side, I see requests coming.
But after some time (it varies greatly, sometimes couple of hours, sometimes - days) I see failed login attempts in application, which uses keycloak. And I see the log messages in keycloak, which say “kerberos ticket expired”:
"exceptionType": "sun.security.krb5.KrbException",
"message": "Ticket expired (32)",
"causedBy": {
"exception": {
"refId": 5,
"exceptionType": "sun.security.krb5.Asn1Exception",
"message": "Identifier doesn't match expected value (906)".
I made a ticket lifetime on KDC side as small as possible (10 minutes), but this does not directly correlate with the issue - it may start appearing after hours or days. Definitely not minutes.
Which makes me conclude, that after some time keycloak tries to obtain a new session ticket with already expired TGT ticket.
I would expect him to first obtain a new ticket - but keycloak doesn’t do that.
Has anybody observed this behavior? What troubleshooting steps would you advise to understand, what triggers such requests?