Re: Keycloak - Kerberos Setup problems

[Elliot Jenks]

My pictures seem to have glitched, 

AD User settings (service user):

Made sure to set these settings: 

keycloak configuration:

--

Elliot J Jenks

DevOps Engineer

Information Technology
elliot...@colonialelectric.com
Colonial Electric Supply

P:610-233-1278

CONFIDENTIAL COMMUNICATION

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

On Thu, May 23, 2024 at 1:51 PM Elliot Jenks <elliot...@colonialelectric.com> wrote:

Hello All, 

We are starting to use keycloak at my organization and need kerberos SSO. We use Active Directory so we already have a lot of the infrastructure, but I am consistently getting the following error message when I try to authenticate using kerberos.

You can see in the output that the token is coming through and it's a kerberos token, so I'm pretty sure the client device is configured correctly.

Error Message:

2024-05-23 14:45:19,213 TRACE [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-32) SPNEGO Login with token: YIIH9QYGKwYBBQUCoIIH6TCCB... (most of token removed)

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /etc/keycloakdqa.keytab refreshKrb5Config is false principal is  

HTTP/keycloakd...@TEST.CO tryFirstPass is false useFirstPass is false storePass is false clearPass is false

principal is  HTTP/keycloakd...@TEST.CO

Will use keytab

Commit Succeeded

2024-05-23 14:45:19,213 TRACE [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-32) Going to establish securitycontext

2024-05-23 14:45:19,215 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-32) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) -

Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96)

        at java.base/java.security.AccessController.doPrivileged(AccessController.java:716)

        at java.base/javax.security.auth.Subject.doAs(Subject.java:439)

        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:69)

        at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:757)

        at org.keycloak.storage.UserStorageManager.getUserByCredential(UserStorageManager.java:153)

        at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByCredential(UserCacheSession.java:551)

        at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:88)

        at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:445)

        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:271)

        at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1028)

        at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:885)

        at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:153)

        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:337)

        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202)

        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)

        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)

        at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)

        at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)

        at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:145)

        at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)

        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)

        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)

        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)

        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)

        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)

        at java.base/java.lang.Thread.run(Thread.java:840)

Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96)

        at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:864)

        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)

        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)

        at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:911)

        at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:558)

        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)

        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)

        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:168)

        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:131)

        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:121)

        at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)

        ... 25 more

Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96

        at java.security.jgss/sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)

        at java.security.jgss/sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)

        at java.security.jgss/sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:139)

        at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:837)

        ... 35 more

                [Krb5LoginModule]: Entering logout

                [Krb5LoginModule]: logged out Subject

2024-05-23 14:45:19,215 TRACE [org.keycloak.storage.ldap.LDAPStorageProvider] (executor-thread-32) SPNEGO Handshake not successful

2024-05-23 14:45:19,215 TRACE [org.keycloak.storage.UserStorageManager] (executor-thread-32) Did not authenticate user by provider 'LDAPStorageProvider - ldap' with the credential type 'kerberos'. Will try to fallback to other user storage providers

2024-05-23 14:45:19,215 WARN  [org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (executor-thread-32) Received kerberos token, but there is no user storage provider that handles kerberos credentials.

2024-05-23 14:45:19,215 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-32) authenticator ATTEMPTED: auth-spnego

Setup Information:

I mostly followed this guide: Server Administration Guide (keycloak.org)

Note: I switched out the actual domain with a fake one

DockerFile:

FROM registry.access.redhat.com/ubi9:latest AS ubi-micro-build

RUN echo "Installing and copying libraries..."

# Install packages to ubi micro build

RUN mkdir -p /mnt/rootfs

RUN dnf install --installroot /mnt/rootfs krb5-workstation krb5-libs vim procps iputils --releasever 9 --setopt install_weak_deps=false --nodocs -y && \

    dnf --installroot /mnt/rootfs clean all && \

    rpm --root /mnt/rootfs -e --nodeps setup

RUN echo "Building Keycloak..."

FROM quay.io/keycloak/keycloak:23.0.0 as builder

WORKDIR /opt/keycloak

# Enable health and metrics support

ENV KC_HEALTH_ENABLED=true

ENV KC_METRICS_ENABLED=true

RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:23.0.0 as final-image

COPY --from=ubi-micro-build /mnt/rootfs /

COPY --from=builder /opt/keycloak/ /opt/keycloak/

# switch to root user and give keycloak permissions on /var/log/

USER root

RUN chown -R keycloak /var/log/

USER keycloak

ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

krb5.conf:

includedir /etc/krb5.conf.d/

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = TEST.CO

 dns_lookup_realm = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 allow_weak_crypto = true

 rdns = false

[realms]:q

TEST.CO = {

 kdc = sv1.test.co

 admin_server = sv1.test.co

}

[domain_realm]

.test.co = TEST.CO

test.co = TEST.CO

[appdefaults]

  forwardable = true

AD User settings (service user):

username: keycloakdqa

User UPN Login: HTTP/keycloakd...@TEST.CO

also made sure to check the following two options:

keytab generated using:

ktpass -princ HTTP/keycloakd...@TEST.CO -mapUser keycl...@TEST.CO -pass <password> -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -kvno 0 -out C:\Users\Public\Documents\keycloakdqa.keytab

and then transferred to the linux server running the container and passed into the container

keycloak configuration:

Testing Kerberos/keytab/krb5:

Going on the docker container with 

docker exec -it keycloak bash

I can run:

kinit -fV -t /etc/keycloakdqa.keytab HTTP/keycloakdev.test.co

keytab specified, forcing -k
Using default cache: /tmp/krb5cc_1000
Using principal: HTTP/keycloakd...@TEST.CO
Using keytab: /etc/keycloakdqa.keytab
Authenticated to Kerberos v5

klist

Valid starting       Expires              Service principal
05/23/2024 17:05:57  05/24/2024 03:05:57  krbtgt/TES...@TEST.CO
        renew until 05/30/2024 17:05:57

kvno HTTP/keycloakd...@TEST.CO

HTTP/keycloakd...@TEST.CO: kvno = 7

I also confirmed that matches AD's kvno

Any and all suggestions will be appreciated at this point. Have tried a lot of different keytabs, different accounts, tweaking configuration and so on and consistently get the same error.

--

Elliot Jenks

DevOps Engineer

[Elliot Jenks]