I’m trying to setup Keycloak SSO to my web-site using Kerberos authentication. I’ using:
- Keycloak 23.04 on Centos 9
- Windows based Active Directory
I used this guide to set it up Kerberos Authentication in Keycloak for ZIC, but at the end I faced this problem:
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /root/key2.keytab refreshKrb5Config is false principal is HTTP/server_dns@KERBEROS_REALM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is HTTP/server_dns@KERBEROS_REALM
Will use keytab
Commit Succeeded
2024-05-21 10:10:36,396 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-184) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:716)
at java.base/javax.security.auth.Subject.doAs(Subject.java:439)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:69)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:757)
at org.keycloak.storage.UserStorageManager.getUserByCredential(UserStorageManager.java:153)
at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByCredential(UserCacheSession.java:551)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:88)
at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:445)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:271)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1028)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:885)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:153)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:337)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:145)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:842)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96)
at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:864)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:908)
at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:555)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:168)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:131)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:121)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
... 25 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - AES256 CTS mode with HMAC SHA1-96
I already made a user and a keytab file for him with the following command
ktpass -princ HTTP/server_dns@KERBEROS_REALM -mapuser kerberos_user -pass mypassword -out key.keytab -crypto aes256-sha1 -ptype KRB5_NT_PRINCIPAL.
User on local domain computer can get a token from domain controller via that keytab file by the following command kinit -kt keycloak.keytab HTTP/server_dns@KERBEROS_REALM. And the logs in domain controlles and packets that captured in wireshark says that audit success. But the keyclock does not authenticate and displays an error. At first i thougth that i use wrong encryption, not aes 256 that keycloak is complaining about. But when i use klist -etk keycloak.keytab to see the info about keytab file it says that aes 256 is the only encryption that is used:
Keytab name: FILE:keycloak.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
23 01/01/1970 03:00:00 HTTP/server_dns@KERBEROS_REALM (aes256-cts-hmac-sha1-96)
Then I thought the problem was with KNVO and it doesn’t match the user’s msDS-KeyVersionNumber which is used for Kerberos authentication, but they match. After this I have no more ideas what could be causing this problem, so I just regenerated the keytab file with the -crypto all key, as many sites advise, but that didn’t help either.
Could you help me to solve this problem?
Thanks very much!
New contributor
sorrysalmon is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.