Keycloak and Kerberos

Posted by

Login to your Windows Client and do not have to login to Connections

My setup for this:
– Windows 2019 Server – AD for the domain ‘’ – fresh install
– Windows 10 Client – Testing – already domain joined to ‘’
– Rocky Linux 8 – Keycloak 20.0.2 – already up and connected to AD through LDAP – url: / hostname
– HCL Connections 8 already configured for OIDC against Keycloak (configure OIDC in HCL Connections

Sure you can configure SPNEGO directly in WebSphere. But you might want to support OTP/WebAuthn for external users which are not in your AD?

Based on keycloak documentation

Prepare the Keytab file
Create a user for the service account. For this example I use And add all the possible URL’s

ktpass -out c:\temp\keycloak.keytab -princ HTTP/ -mapUser  -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -pass *****
setspn -S HTTP/ belsoft-lab\kk
setspn -S HTTP/ belsoft-lab\kk
setspn -S HTTP/ belsoft-lab\kk
setspn -l kk

The ‘setspn -l kk’ displays the successfull registration and I’ve got the keycloak.keytab file in c:\temp which I then have to copy to my keycloak server(s).


Prepare Keycloak

As I’ve already configured ldap against my AD server, I just need to activate Kerberos in the user federation.




Verify that the default authentication flow has set Kerberos to Alternative




dnf install freeipa-client

Update the /etc/krb5.conf file on the keycloak server with my domain





And of course it did not work. I just got the default login window when I tried to go to keycloak’s account page.


Turning on the debug parameters in keycloak. For this I added this environment variable


and added these to my keycloak.conf file


the log file then showed this message: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled
which led me to this RC4 deprecated. Further research led to numerous posts which proposed obscure tipps.


In the test users account I had to tick ‘this account supports Kerberos AES 256 bit’





Relogin to my test client. Finally managed to access the account console without entering username or password.