Problem with active directory integration- Kerberus

Hi ,
I have set up my keycloak to integrate with LDAP and Kerberos for SSO. I have failed to log in and I’m getting the following errors.

  1. I’m running keycloak on top of Kubernetes
  2. I didn’t configure krb5.conf - Should I ?
  3. I have found the following file :cat /etc/krb5.conf.d/crypto-policies
    ermitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac

should I add RC4 with HMAC
4.How can I tell if the keytab was found?

14:23:31,516 INFO [stdout] (default task-20) principal is HTTP/auth.hunting.dudu.com@LAB.LOCAL
14:23:31,516 INFO [stdout] (default task-20) Will use keytab
14:23:31,517 INFO [stdout] (default task-20) Commit Succeeded
14:23:31,517 INFO [stdout] (default task-20)
14:23:31,519 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-20) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAs(Subject.java:423)
at org.keycloak.keycloak-kerberos-federation@9.0.0//org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.keycloak-ldap-federation@9.0.0//org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:694)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:350)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:496)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:306)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:998)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:860)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:150)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:465)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:160)
at org.keycloak.keycloak-services@9.0.0//org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:111)
at jdk.internal.reflect.GeneratedMethodAccessor741.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:138)
at org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:517)
at org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:406)
at org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:370)
at org.jboss.resteasy.resteasy-jaxrs@3.9.1.Final//org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:35

I’m getting the exact same error. I have an Active Directory domain but am not using Kubernetes.

I know this isn’t helpful, but I’ve have the same issue (both on Kubernetes, and local Docker)

It appears to work on keycloak:7.0.0, but none of the images after. I did notice the “base image” that is used to build the keycloak image changes after 7.0.0, so I suspect that could have something to do with it?

From googling, that error seems to deal more with the the app not having permissions to the keytab file? (If you just put in garbage in text box, you’ll get the same error, which leads me to believe its not actually being parsed)

I have managed to overcome this problem by adding “rc4-hmac” to crepto-policies file

Awesome to hear! Are you manually adding it, or creating your own image?

in case anyone finds this via google, I added the rc4-hmac, and had no luck. I ended up redoing my keytab following instructions here

and am now up and running

Dear all,

I am facing the same issue but this time issue is little different.

11:21:27,509 TRACE [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-1) Going to establish security context
11:21:27,643 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-1) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAs(Subject.java:423)
at org.keycloak.keycloak-kerberos-federation@9.0.5.redhat-00001//org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.keycloak-ldap-federation@9.0.5.redhat-00001//org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:701)
at org.keycloak.keycloak-services@9.0.5.redhat-00001//org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:365)
at org.keycloak.keycloak-services@9.0.5.redhat-00001//org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)
at org.keycloak.keycloak-services@9.0.5.redhat-00001//org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:438)

Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed
Caused by: KrbException: Checksum failed
at java.security.jgss/sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
at java.security.jgss/sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
at java.security.jgss/sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:180)
at java.security.jgss/sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
Caused by: java.security.GeneralSecurityException: Checksum failed
at java.security.jgss/sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
at java.security.jgss/sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
11:21:27,650 INFO [stdout] (default task-1) [Krb5LoginModule]: Entering logout
11:21:27,650 INFO [stdout] (default task-1) [Krb5LoginModule]: logged out Subject
11:21:27,650 TRACE [org.keycloak.storage.ldap.LDAPStorageProvider] (default task-1) SPNEGO Handshake not successful
11:21:27,702 WARN [org.keycloak.services] (default task-1) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException
at org.keycloak.keycloak-services@9.0.5.redhat-00001//org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:489)