No more Kerberos negotiate in the web browser after migration to Keycloak

Hello all,

Some infos:

  • Keycloak 25.0.6 bind to LDAP with groups and Users (Univention Server based on Debian)
  • Keycloak auth work with everything like Proxmox, Docker…
  • Clientsystems: Windows Server 2022, Kubuntu Desktop 24.04 LTS

As soon as I have logged in to Keycloak (SAML/SSO), the login to the web apps works via the Google Chrome browser in Linux. But I have to log in manually on the SSO Login page.
The default behavior is that the Kerberos ticket that is assigned when logging in to the desktop is also used to log in to Keycloak. But this does not seem to work under Linux. Under Windows it does what it should. For example, you click on SSO in the Docker administration and you are logged in. You can also see with “klist” that there is another entry.

Since the GSSAPI/Kerberosauth under Linux also works normally in the web browser (e.g. Apache, Wiki, etc.) I am surprised that the transfer of the Kerberostickets to Keycloak does not work. Here are the entries for the web browser Google Chrome:

cat /etc/opt/chrome/policies/managed/kerberos.json
{
     "AuthServerAllowlist": "*.osit.cc,*.iteas.at,*.styrion.net,*.iteas.lan,*.party.lan,*.styrion.lan,*.v-source.org",
     "AuthNegotiateDelegateAllowlist": "*.osit.cc,*.iteas.at,*.styrion.net,*.iteas.lan,*.party.lan,*.styrion.lan,*.v-source.org",
     "ExtensionSettings": {
          "*": {
               "installation_mode": "allowed"
          }
     }
}

The login in the browser is resolved with “https://ucs-sso-ng.osit.cc ”. Here are some important client configurations:

cat /etc/krb5.conf
[libdefaults]
    default_realm = OSIT.CC
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md4 des3-cbc-sha1 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
    permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md4 des-cbc-md5 des3-cbc-sha1 arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
    allow_weak_crypto=true
    rdns = false

[realms]
OSIT.CC = {
   kdc = dc1.osit.cc dc2.osit.cc dc3.osit.cc
   admin_server = dc1.osit.cc
   kpasswd_server = dc1.osit.cc
}

cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, sudo
domains = OSIT.CC

[nss]
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/OSIT.CC]
auth_provider = krb5
krb5_realm = OSIT.CC
krb5_server = dc1.osit.cc,dc2.osit.cc
krb5_backup_server = dc3.osit.cc
krb5_kpasswd = dc1.osit.cc
id_provider = ldap
ldap_uri = ldap://dc1.osit.cc:7389,ldap://dc2.osit.cc:7389
ldap_backup_uri = ldap://dc3.osit.cc:7389
ldap_search_base = dc=osit,dc=cc
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/univention/ssl/ucsCA/CAcert.pem
cache_credentials = true
enumerate = true
ldap_default_bind_dn = XXX
ldap_default_authtok_type = password
ldap_default_authtok = XXX

I’ve also tested it with Firefox and Brave-Browser. Do you have any idea what else I need to configure so that Keycloak takes over the Kerberos login tickets?