Hi ,
I have set up my keycloak to integrate with LDAP and Kerberos for SSO. I have failed to log in and I’m getting the following errors.
- I’m running keycloak on top of Kubernetes
- I didn’t configure krb5.conf - Should I ?
- I have found the following file :cat /etc/krb5.conf.d/crypto-policies
ermitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac
should I add RC4 with HMAC
4.How can I tell if the keytab was found?
14:23:31,516 INFO [stdout] (default task-20) principal is HTTP/auth.hunting.dudu.com@LAB.LOCAL
14:23:31,516 INFO [stdout] (default task-20) Will use keytab
14:23:31,517 INFO [stdout] (default task-20) Commit Succeeded
14:23:31,517 INFO [stdout] (default task-20)
14:23:31,519 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-20) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAs(Subject.java:423)
at org.keycloak.keycloak-kerberos-federation@9.0.0//org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.keycloak-ldap-federation@9.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:694)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:350)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:496)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:306)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:998)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:860)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:150)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:465)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:160)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:111)
at jdk.internal.reflect.GeneratedMethodAccessor741.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
at org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:517)
at org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:406)
at org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:370)
at org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:35