SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

[Bruno Martins]

Hello team,

We're having the mentioned error while trying to access our Keycloak server with Kerberos SSO.

LDAP authentication is working correctly, we're just not automatically authenticated when using a Windows domain-joined computer.

Our configuration:

Additional error from trace:

2021-09-10 18:30:50,117 WARN  [org.keycloak.events] (default task-578) type=LOGIN_ERROR, realmId=Test_Kerberos, clientId=account, userId=null, ipAddress=x.x.x.x, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code

Our kerberos config file:

# Configuration snippets may be placed in this directory as well

includedir /etc/krb5.conf.d/

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 dns_lookup_realm = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 rdns = false

 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt

# default_realm = EXAMPLE.COM

 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = OURDOMAIN.COM 

 

[realms]

# EXAMPLE.COM = {

#  kdc = kerberos.example.com

#  admin_server = kerberos.example.com

# }

OURDOMAIN.COM = {

  kdc = domaincontroller.ourdomain.com

  admin_server = domaincontroller.ourdomain.com

}

[domain_realm]

# .example.com = EXAMPLE.COM

# example.com = EXAMPLE.COM

 .ourdomain.com = OURDOMAIN.COM

 ourdomain.com = OURDOMAIN.COM

We have also completed group policy configuration, such as our Keycloak server is in Windows clients' IE intranet zone and "Automatically logon using logged on user credentials".

NOTE: We're using a Apache reverse proxy to reach Keycloak server. Is there any special configuration needed there?

Can you please help us?

Kind regards,

Bruno Martins

[Michael Wagner]

I seem to have exactly the same problem. Keycloak in Domain Mode behind a reverse Proxy. Login via AD ist working as expected, but Kerberos seems to be not working. As I am on Centos 8.4, there ist no easy option to install freeipa-client, so i used the ipa-client from the repository. Keytab is working, since kinit and klist are getting the correct results, when I use them with the same settings as provided in the Keycloak GUI.

While examining a bit deeper, I don't see any conncetion from the Keycloak server to our AD via Kerberos Ports. I assume, that there is something missing on the Keycloak server. How does the Keycloak erver know, what krb5.conf file to use, there is no possibility to set this in the GUI. Must the krb5.conf File be on a certain place of the filesystem, to be able to be used by Keycloak?

[Bruno Martins]

Dear all,

Did someone make this work? We are still stuck on this issue.

Thank you in advance!

[Evan Schnell]

I've generally had success with this on containers running in podman, though I have not tested heavily on quarkus-based container yet.   

Are you running in a container or are you running in the JDK on the host?   Which version of Keycloak are you using?   

I found that this link was useful in assigning the spn to a service user and creating a keytab for that user:  https://www.ibm.com/docs/en/was/9.0.5?topic=server-creating-kerberos-service-principal-name-keytab-file.  

Also, this:  https://documentation.abas.cloud/en/abas-keycloak/debugging-kerberos.html 

Make sure the aes256 encryption type is enabled for your AD server and the service user.   I assume you set the keycloak realm to OURDOMAIN.COM in the keycloak gui.   

_evan

[Bruno Martins]

Dear Evan,

 

Thanks for your reply!

 

We have Keycloak 12.0.4 running in standalone mode on RHEL 7. The JDK version used is Red Hat OpenJDK 64-Bit Server VM 11.0.14.1+1-LTS.

 

The AD service account used in the deployment has the AES256 encryption method defined and I can see that it is being used correctly by testing our keytab file using klist and looking at the logs it generates.

 

The problem is really with the Keycloak part. It still fails with the following error:

 

2022-06-16 15:53:05,838 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-467) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

 

Kind regards,

 

Bruno

--
You received this message because you are subscribed to a topic in the Google Groups "Keycloak User" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/keycloak-user/9EqWxv67iBA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/3bb683ce-9c67-495d-8576-ac2b2d7c2a95n%40googlegroups.com.

[Bruno Martins]

Hi Evan,

 

We have managed to fix the issue!

 

This document explains the problem very well:

https://access.redhat.com/solutions/3269271

 

In our case, we were missing the Reverse Proxy FQDN in the SPN list of the Java service account.

 

Thank you all!

 

Bruno

[Nicolai Ehemann]

Hi,

I have got the same problem. Good to hear you solved it; unfortunately, the Solution ad Red Hat is only visible for subscribers. Could you  explain or copy the relevent parts to here? Thank you very much!

Nico

[Bruno Martins]

Hi Nico,

 

Here it is.

 

Make sure to have a valid SPN configured in the keytab:

• the Resource URL must use a server name that matches an AD SPN (example: HTTP/server1.dev...@DEV.EXAMPLE.COM )
• if using an LB (Load Balancer) to access the resource URL, then add an extra SPN to the keytab so that the server name matches the SPN to configure for the LB VIP (example: HTTP/lbvip.dev....@DEV.EXAMPLE.COM )
• the same server name must have DNS which resolves to the intended server
• the URL must be in the browser intranet zone settings

 

Cheers!

 

 

To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/be766c28-69de-4e58-9037-85a054609675n%40googlegroups.com.