javaactive-directoryopenid-connectkeycloakkerberos-delegation

Keycloak GSS Credential delegation when browser not in AD Domain


I have a Web App that uses Keycloak/OpenID Connect to authenticate a user to an Windows AD.

Users will not be using a browser on a workstation in the Windows AD domain.

The Web App server (Tomcat with Keycloak adapter) is running in the Windows AD domain.

The Web App is configured for Keycloak/OpenID Connect. Keycloak realm is configured to use the Windows AD Kerberos/LDAP.

The user browser forwards to the keycloak login and following a successful login, forwards back to the web app.

The Web App needs to connect to an IBM i using Kerberos ticket/GSS Credential The IBM i is configured for SSO/EIM using the Windows AD. It works.

I configured the Keycloak client for GSS Credential Forwarding.

I try to get the GSS Credential from the Servlet request using the Keycloak client

            // Obtain accessToken in your application.
        KeycloakPrincipal<KeycloakSecurityContext> kcp = (KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
        AccessToken at = kcp.getKeycloakSecurityContext().getToken();
        String username = at.getPreferredUsername();
        wtr.append("Windows User: ").append(username).append(newLine);

        // Retrieve kerberos credential from accessToken and deserialize it

        Map<String, Object> otherClaims = at.getOtherClaims();
        Object otherClaim = otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
        String serializedGSSCred = (String) otherClaim;
        GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(serializedGSSCred);

The "otherClaims" map is empty. So deserializing throws a null pointer exception with the message

org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null credential given as input. Did you enable kerberos credential delegation for your web browser and mapping of gss credential to access token?, Java version: 1.8.0_152, runtime version: 1.8.0_152-b16, vendor: Oracle Corporation, os: 6.2
at org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)

What am I missing?


Solution

  • For the browser to be able to negotiate (SPNEGO) it needs to be on the AD domain (also the delegation needs to be setup at the AD level, using msDS-AllowedToDelegateTo field) in order for the KC to impersonate the user on the backend service. I would expect you get a 401 (Unauthorized) to which your browser cannot respond as it won't be able to get a kerberos ticket. You could in theory do basic authentication against the web server, get a kerberos ticket on your webapp and forward it to the backend...