Goal:
Login to your Windows Client and do not have to login to Connections
My setup for this:
– Windows 2019 Server – AD for the domain ‘belsoft-lab.ch’ – fresh install
– Windows 10 Client – Testing – already domain joined to ‘belsoft-lab.ch’
– Rocky Linux 8 – Keycloak 20.0.2 – already up and connected to AD through LDAP – url: login.belsoft-lab.ch / hostname login1.belsoft-lab.ch
– HCL Connections 8 already configured for OIDC against Keycloak (configure OIDC in HCL Connections
Motivation:
Sure you can configure SPNEGO directly in WebSphere. But you might want to support OTP/WebAuthn for external users which are not in your AD?
Based on keycloak documentation
Prepare the Keytab file
Create a user for the service account. For this example I use kk@belsoft-lab.ch. And add all the possible URL’s
ktpass -out c:\temp\keycloak.keytab -princ HTTP/login.belsoft-lab.ch@BELSOFT-LAB.CH -mapUser kk@belsoft-lab.ch -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -pass ***** setspn -S HTTP/login1.belsoft-lab.ch@BELSOFT-LAB.CH belsoft-lab\kk setspn -S HTTP/login1.belsoft-lab.ch belsoft-lab\kk setspn -S HTTP/login.belsoft-lab.ch belsoft-lab\kk setspn -l kk
The ‘setspn -l kk’ displays the successfull registration and I’ve got the keycloak.keytab file in c:\temp which I then have to copy to my keycloak server(s).
Prepare Keycloak
As I’ve already configured ldap against my AD server, I just need to activate Kerberos in the user federation.
Verify that the default authentication flow has set Kerberos to Alternative
dnf install freeipa-client
Update the /etc/krb5.conf file on the keycloak server with my domain
Testing
And of course it did not work. I just got the default login window when I tried to go to keycloak’s account page.
Troubleshooting
Turning on the debug parameters in keycloak. For this I added this environment variable
JAVA_OPTS_APPEND="-Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true"
and added these to my keycloak.conf file
log=file log-file=/opt/keycloak/log/keycloak.log log-level=info,org.keycloak.federation.kerberos:trace
the log file then showed this message:
java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled
which led me to this RC4 deprecated. Further research led to numerous posts which proposed obscure tipps.
Solution
In the test users account I had to tick ‘this account supports Kerberos AES 256 bit’
Relogin to my test client. Finally managed to access the account console without entering username or password.