I am trying to implement Kerberos Integration for Keycloak on a Windows domain. I have added an ldap provider in Keycloak and setup my connection with AD which all works.
I am testing it out on a sandbox environment Domain: SANDBOX.NET DC: KEYTEST-DC App server where keycloak is running: KEYTEST-APP Client machine to test the auto login with kerberos: KEYTEST-CLIENT
I started with the following actions (done on the DC with a DC admin account)
Create a new AD service user with the same name as the machine name where keycloak is running First Name: KEYTEST-APP User logon name: HTTP/keytest-app.sandbox.net Password: S@ndM@n
Set the spn for this user setspn -A HTTP/[email protected] KEYTEST-APP
Create KeyTab file
ktpass /out keycloak.keytab /princ HTTP/[email protected] /mapuser [email protected] /pass S@ndM@n
Copy the keytab file to the app server and use it to configure kerberos in keycloak Kerberos Realm: SANDBOX.NET Server Principal: HTTP/[email protected] Keytab: location of the keytab file
I did an initial test and everything worked perfectly.
Then I wanted to document the whole process so I started again, but choose svc_keycloak as the name for my AD service user as I found other documentation which didn't specify that the name must match that of the app server.
I also chose a different password, but when I tested this it didn't work.
Error in keycloak: SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
Eventually I found out, it only worked with the svc_keycloak user when I used the S@ndM@n password in the ktpass command, even though this was the password from the KEYTEST-APP user.
Then I did a lot of tests, deleted the KEYTEST-APP user, created new DC admin accounts, changed passwords. Yet kerberos only worked when I used S@ndM@n as the password in the ktpass command (With whatever user I tried).
In the end I started from zero, new DC, new app server, configured everything from scratch. This time I started with the new service user: svc_keycloak and a whole new password, but again same error in keycloak. Then I created the user KEYTEST-APP again and gave it the password S@ndM@n (Maybe I should have picked a different password here and I should start again from scratch) and now it all worked again. Testing with svc_keycloak, it again also worked with if I gave S@ndM@n as password in the ktpass command.
And it even keeps on working after deleting the KEYTEST-APP user, so somewhere the password must still be stored?? I noticed when I deleted the KEYTEST-APP user I still got Service Principal Names when executing: setspn -l KEYTEST-APP
After some research (because my knowledge about kerberos is very limited) I found out that this is because KEYTEST-APP is also a computer account. As far as I have found, every computer account has its own password, but these are completely random.
I just want to find out why it only works with the S@ndM@n password. Is this because this is the first password I used for the user with the same name as the app server? Then there must be some way to update this? Or maybe I have overlooked something and someone sees the problem in my config.
Thx, Remi