Browser not being prompted for CAC selection

[joe averbeck]

Good Afternoon,

I'm hoping someone can tell me what i'm missing.

I'm running into an issue where I am unable to get any browser to prompt me to select a certificate when hitting login account page.  

Log Error
2023-05-10 15:07:05,090 WARN  [org.keycloak.events] (executor-thread-20) type=LOGIN_ERROR, realmId=, clientId=account-console, userId=null,
ipAddress=, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=:,
code_id=, response_mode=fragment, authSessionParentId=, authSessionTabId=

Front-End Error: (instantly upon sign in)

We are sorry...

invalid username or password.

Environment: RHEL 9 using Podman and Postgres DB 

(trust store certs are .pem's converted to .jks using bash script in .txt)

I've set up x509 browser form flow and x509/Validate Username form and configs;
Created a user to match CN and tried alternate CN;

Created a trust store with correct Root and CA-# in the trust store;   

Please view the attached for settings info.

Please let me know if additional information is needed for troubleshooting.

[joe averbeck]

Figured it out, 

Needed to set  KC_HTTPS_CLIENT_AUTH=required   After that it found the cert no problem and I was in. It did however break my reverse proxy so will trouble shoot that later.