I have a Web App that uses Keycloak/OpenID Connect to authenticate a user to an Windows AD.
Users will not be using a browser on a workstation in the Windows AD domain.
The Web App server (Tomcat with Keycloak adapter) is running in the Windows AD domain.
The Web App is configured for Keycloak/OpenID Connect. Keycloak realm is configured to use the Windows AD Kerberos/LDAP.
The user browser forwards to the keycloak login and following a successful login, forwards back to the web app.
The Web App needs to connect to an IBM i using Kerberos ticket/GSS Credential The IBM i is configured for SSO/EIM using the Windows AD. It works.
I configured the Keycloak client for GSS Credential Forwarding.
I try to get the GSS Credential from the Servlet request using the Keycloak client
// Obtain accessToken in your application.
KeycloakPrincipal<KeycloakSecurityContext> kcp = (KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
AccessToken at = kcp.getKeycloakSecurityContext().getToken();
String username = at.getPreferredUsername();
wtr.append("Windows User: ").append(username).append(newLine);
// Retrieve kerberos credential from accessToken and deserialize it
Map<String, Object> otherClaims = at.getOtherClaims();
Object otherClaim = otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
String serializedGSSCred = (String) otherClaim;
GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(serializedGSSCred);
The "otherClaims" map is empty. So deserializing throws a null pointer exception with the message
org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null credential given as input. Did you enable kerberos credential delegation for your web browser and mapping of gss credential to access token?, Java version: 1.8.0_152, runtime version: 1.8.0_152-b16, vendor: Oracle Corporation, os: 6.2
at org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)
What am I missing?
For the browser to be able to negotiate (SPNEGO) it needs to be on the AD domain (also the delegation needs to be setup at the AD level, using msDS-AllowedToDelegateTo field) in order for the KC to impersonate the user on the backend service. I would expect you get a 401 (Unauthorized) to which your browser cannot respond as it won't be able to get a kerberos ticket. You could in theory do basic authentication against the web server, get a kerberos ticket on your webapp and forward it to the backend...