I'm integrating SSO(Kerberos) with Keycloak (...)
In the process of troubleshooting this: When using the klist get command:
>klist get HTTP/registered-spn.fqdn.com
Current LogonId is 0:0x145d2d
Error calling API LsaCallAuthenticationPackage (GetTicket substatus): 0x80090342
klist failed with 0xc00002fd/-1073741059
My question:
Should "klist get" return a positve result for EVERY domain user that will use SSO? Or will this only work for domain admin accounts?
The user account registered in/with the SPN should have all needed permissions. When testing "klist get" with a domain admin account, I get a result, with a regular user not. Question is if this is expected or do all domain users that will use SSO need any special permissions as well? (So again; should "klist get work" for everyone, and is "klist get" the first command that should work before proceeding?)
Yes, it should return a positive result for every user. Acquiring a ticket (as
klist getdoes) is the core operation of Kerberos SSO – it is in no way privileged.That being said, it only works if your login session has the credentials to acquire tickets at all – meaning, either you must be logged in as a domain user, not a local user, or you must have Kerberos credentials stored in Credential Manager if you're using a local account.
If you're logged in as a domain user:
Test with a SPN of some other service that is guaranteed to work. For example, as you're most likely using Active Directory, test with
ldap/<fqdn_of_dc>orhost/<fqdn_of_your_own_pc>.Fire up Wireshark, capture
port 88, and check whether a Kerberos TGS-REQ is happening at all and whether it's failing for some reason.