1

I am trying to get SSO working using a browser(Chrome or firefox) and keycloak configured with an user federation AD Domain(kerberos is configured).

First I present the overview of what I have and after I add more details.

The Overview:
Calling the authorization endpoint ".../auth/realms/test_realm/protocol/openid-connect/auth" and using tcpdump I can see:

  1. Browser sends get request to the authorization endpoint with the necessary parameters

  2. Keycloak responds correctly:
    -with an 401 Unauthorized
    -with the header "WWW-Authenticate: Negotiate"

  3. Browser sends I think correctly a new get request:
    -with "Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAGFKAAAADw=="
    This is sending the spnego token

  4. Keycloak responds with an "200 OK" but with the login page and no token or the callback url I have no errors in Keycloak log

Q: What is keycloak supposed to respond here? Should send to the callback url with some cookies like KEYCLOAK_IDENTIT and KEYCLOAK_SESSION, right? With this cookies I can call the token endpoint to get the token to use in the application.

Q: any idea what is missing? I know there are a lot of pieces but maybe something obvious is missing.

When doing a manual login I call a login-actions/authenticate endpoint that returns the cookies KEYCLOAK_IDENTIT and KEYCLOAK_SESSION that I can the use to call the token endpoint and get the token.
I am using the same user as the one logged in from the test domain so I know keycloak can authenticate the tested user.

Now with more details

To configure Keycloak I followed the official docs from https://www.keycloak.org/docs/latest/server_admin/

In windows client machine(Browser chrome or firefox, tested both):
-I have added the url to the whitelist
-I am calling the authorization endpoint with the needed parameters

In windows server 2019 AD domain
-I have created a keytab file using:
ktpass /out testdomainlocal_keytab_file.keytab /princ HTTP/keycloak.testdomain.local@testdomain.local /mapuser keycloak_kerberos /pass "somepass" /crypto All /ptype KRB5_NT_PRINCIPAL /kvno 1
-The user keycloak_kerberos exists in my test domain

In linux rhel8.8 I have keycloak 22.01
-Added the linux machine to the test Domain using "realm join"
-Added the setup User federation for an LDAP AD that manually can authenticate the ldap test user
-Activated the Kerberos integration with the principal and the keytab created from the AD machine
-added the domain info to /etc/krb5.conf file

I can show more details if needed, but I have to anonymize the information.

Afonso R.
  • 11

0 Answers0