Keycloak and Kerberos

Posted by

Goal:
Login to your Windows Client and do not have to login to Connections

My setup for this:
– Windows 2019 Server – AD for the domain ‘belsoft-lab.ch’ – fresh install
– Windows 10 Client – Testing – already domain joined to ‘belsoft-lab.ch’
– Rocky Linux 8 – Keycloak 20.0.2 – already up and connected to AD through LDAP – url: login.belsoft-lab.ch / hostname login1.belsoft-lab.ch
– HCL Connections 8 already configured for OIDC against Keycloak (configure OIDC in HCL Connections

Motivation:
Sure you can configure SPNEGO directly in WebSphere. But you might want to support OTP/WebAuthn for external users which are not in your AD?

Based on keycloak documentation

Prepare the Keytab file
Create a user for the service account. For this example I use kk@belsoft-lab.ch. And add all the possible URL’s

ktpass -out c:\temp\keycloak.keytab -princ HTTP/login.belsoft-lab.ch@BELSOFT-LAB.CH -mapUser kk@belsoft-lab.ch  -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -pass *****
setspn -S HTTP/login1.belsoft-lab.ch@BELSOFT-LAB.CH belsoft-lab\kk
setspn -S HTTP/login1.belsoft-lab.ch belsoft-lab\kk
setspn -S HTTP/login.belsoft-lab.ch belsoft-lab\kk
setspn -l kk

The ‘setspn -l kk’ displays the successfull registration and I’ve got the keycloak.keytab file in c:\temp which I then have to copy to my keycloak server(s).

 

Prepare Keycloak

As I’ve already configured ldap against my AD server, I just need to activate Kerberos in the user federation.

 

 

 

Verify that the default authentication flow has set Kerberos to Alternative

 

 

 

dnf install freeipa-client

Update the /etc/krb5.conf file on the keycloak server with my domain

 

 

 

Testing

And of course it did not work. I just got the default login window when I tried to go to keycloak’s account page.

Troubleshooting

Turning on the debug parameters in keycloak. For this I added this environment variable

JAVA_OPTS_APPEND="-Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true"

and added these to my keycloak.conf file

log=file
log-file=/opt/keycloak/log/keycloak.log
log-level=info,org.keycloak.federation.kerberos:trace

the log file then showed this message:

 

java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled
which led me to this RC4 deprecated. Further research led to numerous posts which proposed obscure tipps.

Solution

In the test users account I had to tick ‘this account supports Kerberos AES 256 bit’

 

 

 

 

Relogin to my test client. Finally managed to access the account console without entering username or password.