Hi, i whant to login on the web-site without entering credentials from local domain computers. So i decided to use kerberos authentication in keycloak. I have created keycloak.keytab on domain controller via following command:
ktpass -princ HTTP/server_dns@KERBEROS_REALM -mapuser kerberos_user -pass mypassword -out key.keytab -crypto aes256-sha1 -ptype KRB5_NT_PRINCIPAL
Then i configure kerberos keycloak realm as described in this guide: Zerto Knowledge Portal.
I also enable kerberos authentication in chrome on client computer.
But I suddenly encountered such a problem, keycloak don’t authenicate user and generate this log:
May 21 03:10:36 server_dns kc.sh[241137]: Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /root/key2.keytab refreshKrb5Config is false principal is HTTP/server_dns@KERBEROS_REALM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
May 21 03:10:36 server_dns kc.sh[241137]: principal is HTTP/server_dns@KERBEROS_REALM
May 21 03:10:36 server_dns kc.sh[241137]: Will use keytab
May 21 03:10:36 server_dns kc.sh[241137]: Commit Succeeded
May 21 03:10:36 server_dns kc.sh[241137]: 2024-05-21 10:10:36,396 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-184) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96)
May 21 03:10:36 server_dns kc.sh[241137]: #011at java.base/java.security.AccessController.doPrivileged(AccessController.java:716)
May 21 03:10:36 server_dns kc.sh[241137]: #011at java.base/javax.security.auth.Subject.doAs(Subject.java:439)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:69)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:757)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.storage.UserStorageManager.getUserByCredential(UserStorageManager.java:153)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByCredential(UserCacheSession.java:551)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:88)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:445)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:271)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1028)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:885)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:153)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:337)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
May 21 03:10:36 server_dns kc.sh[241137]: #011at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:145)
May 21 03:10:36 server_dns kc.sh[241137]: #011at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
May 21 03:10:36 server_dns kc.sh[241137]: #011at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
May 21 03:10:36 server_dns kc.sh[241137]: #011at java.base/java.lang.Thread.run(Thread.java:842)
May 21 03:10:36 server_dns kc.sh[241137]: Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96)
May 21 03:10:36 server_dns kc.sh[241137]: #011at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:864)
May 21 03:10:36 server_dns kc.sh[241137]: #011at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
May 21 03:10:36 server_dns kc.sh[241137]: #011at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
May 21 03:10:36 server_dns kc.sh[241137]: #011at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:908)
May 21 03:10:36 server_dns kc.sh[241137]: #011at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:555)
May 21 03:10:36 server_dns kc.sh[241137]: #011at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
May 21 03:10:36 server_dns kc.sh[241137]: #011at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:168)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:131)
May 21 03:10:36 server_dns kc.sh[241137]: #011at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:121)
May 21 03:10:36 server_dns kc.sh[241137]: #011at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
May 21 03:10:36 server_dns kc.sh[241137]: #011... 25 more
May 21 03:10:36 server_dns kc.sh[241137]: Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96
Based on the logs from the domain controller and the packets captured by wireshark, authentication via Kerberos is successful and the client receives a ticket from domain controller.
Attemp to kinit from server successful returns a ticket.
Do you have any tips to solve this problem?