{"id":891,"date":"2022-12-23T10:22:56","date_gmt":"2022-12-23T09:22:56","guid":{"rendered":"https:\/\/www.ume.li\/blog\/?p=891"},"modified":"2022-12-23T10:22:56","modified_gmt":"2022-12-23T09:22:56","slug":"keycloak-and-kerberos","status":"publish","type":"post","link":"https:\/\/www.ume.li\/blog\/2022\/12\/23\/keycloak-and-kerberos\/","title":{"rendered":"Keycloak and Kerberos"},"content":{"rendered":"

Goal:
\nLogin to your Windows Client and do not have to login to Connections<\/p>\n

My setup for this:
\n– Windows 2019 Server – AD for the domain ‘belsoft-lab.ch’ – fresh install
\n– Windows 10 Client – Testing – already domain joined to ‘belsoft-lab.ch’
\n– Rocky Linux 8 – Keycloak 20.0.2 – already up and connected to AD through LDAP – url: login.belsoft-lab.ch \/ hostname login1.belsoft-lab.ch
\n– HCL Connections 8 already configured for OIDC against Keycloak (configure OIDC in HCL Connections<\/a><\/p>\n

Motivation:
\nSure you can configure SPNEGO directly in WebSphere. But you might want to support OTP\/WebAuthn for external users which are not in your AD?<\/p>\n

Based on keycloak documentation<\/a><\/p>\n

Prepare the Keytab file<\/strong>
\nCreate a user for the service account. For this example I use kk@belsoft-lab.ch. And add all the possible URL’s<\/p>\n

\r\nktpass -out c:\\temp\\keycloak.keytab -princ HTTP\/login.belsoft-lab.ch@BELSOFT-LAB.CH -mapUser kk@belsoft-lab.ch  -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -pass *****\r\nsetspn -S HTTP\/login1.belsoft-lab.ch@BELSOFT-LAB.CH belsoft-lab\\kk\r\nsetspn -S HTTP\/login1.belsoft-lab.ch belsoft-lab\\kk\r\nsetspn -S HTTP\/login.belsoft-lab.ch belsoft-lab\\kk\r\nsetspn -l kk\r\n<\/pre>\n
The ‘setspn -l kk’ displays the successfull registration and I’ve got the keycloak.keytab file in c:\\temp which I then have to copy to my keycloak server(s).
\n\"\"<\/a><\/p>\n
 <\/p>\n
Prepare Keycloak<\/strong><\/p>\n
As I’ve already configured ldap against my AD server, I just need to activate Kerberos in the user federation.
\n\"\"<\/a><\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
Verify that the default authentication flow has set Kerberos to Alternative
\n\"\"<\/a><\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
\r\ndnf install freeipa-client\r\n<\/pre>\n
Update the \/etc\/krb5.conf file on the keycloak server with my domain
\n\"\"<\/a><\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
Testing<\/strong><\/p>\n
And of course it did not work. I just got the default login window when I tried to go to keycloak’s account page.<\/p>\n
Troubleshooting<\/strong><\/p>\n
Turning on the debug parameters in keycloak. For this I added this environment variable<\/p>\n
\r\nJAVA_OPTS_APPEND="-Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true"\r\n<\/pre>\n
and added these to my keycloak.conf file<\/p>\n
\r\nlog=file\r\nlog-file=\/opt\/keycloak\/log\/keycloak.log\r\nlog-level=info,org.keycloak.federation.kerberos:trace\r\n<\/pre>\n
the log file then showed this message:
\n\"\"<\/a><\/p>\n
 <\/p>\n
java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported\/enabled<\/em>
\nwhich led me to this RC4 deprecated<\/a>. Further research led to numerous posts which proposed obscure tipps.<\/p>\n
Solution<\/strong><\/p>\n
In the test users account I had to tick ‘this account supports Kerberos AES 256 bit’<\/p>\n
\"\"<\/a><\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
Relogin to my test client. Finally managed to access the account console without entering username or password.<\/p>\n","protected":false},"excerpt":{"rendered":"
Goal: Login to your Windows Client and do not have to login to Connections My setup for this: – Windows<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,1],"tags":[85,84,83,82,86],"class_list":["post-891","post","type-post","status-publish","format-standard","hentry","category-connections","category-uncategorized","tag-active-directory","tag-ad","tag-kerberos","tag-keycloak","tag-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ume.li\/blog\/wp-json\/wp\/v2\/posts\/891","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ume.li\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ume.li\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ume.li\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ume.li\/blog\/wp-json\/wp\/v2\/comments?post=891"}],"version-history":[{"count":7,"href":"https:\/\/www.ume.li\/blog\/wp-json\/wp\/v2\/posts\/891\/revisions"}],"predecessor-version":[{"id":904,"href":"https:\/\/www.ume.li\/blog\/wp-json\/wp\/v2\/posts\/891\/revisions\/904"}],"wp:attachment":[{"href":"https:\/\/www.ume.li\/blog\/wp-json\/wp\/v2\/media?parent=891"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ume.li\/blog\/wp-json\/wp\/v2\/categories?post=891"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ume.li\/blog\/wp-json\/wp\/v2\/tags?post=891"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}