Keytab file <literal>/tmp/http.keytab</literal> will need to be accessible on the host where keycloak server will be running.
</para>
</listitem>
</itemizedlist>
</para>
</section>
<section>
<title>Setup and configuration of Keycloak server</title>
<itemizedlist>
<listitem>
<para>
Install kerberos client. This is again platform dependent. If you are on Fedora, Ubuntu or RHEL, you can install package <literal>freeipa-client</literal>,
which contains Kerberos client and bunch of other stuff.
</para>
</listitem>
<listitem>
<para>
Configure kerberos client (on linux it's in file <literal>/etc/krb5.conf</literal> ). You need to put your Kerberos realm and at least
configure the Http domains your server will be running on. For the example realm MYDOMAIN.ORG you may configure <literal>domain_realm</literal> section like this:
<programlisting><![CDATA[
[domain_realm]
.mydomain.org = MYDOMAIN.ORG
mydomain.org = MYDOMAIN.ORG
]]></programlisting>
</para>
</listitem>
<listitem>
<para>
Export keytab file with HTTP principal and make sure the file is accessible to the process under which Keycloak
server is running. For production, it's ideal if it's readable just by this process and not by someone else.
For MIT Kerberos example above, we already exported keytab to <literal>/tmp/http.keytab</literal> . If your KDC and Keycloak
are running on same host, you have file already available.
through <linklinkend='user_federation'>Federation provider SPI</link> . We have 2 federation providers with Kerberos authentication support:
<variablelist>
<varlistentry>
<term>Kerberos</term>
<listitem>
<para>
This provider is useful if you want to authenticate with Kerberos <literal>NOT</literal> backed by LDAP server.
In this case, users are usually created to Keycloak database after first successful SPNEGO/Kerberos login
and they may need to update profile after first login, as Kerberos protocol itself doesn't provision
any data like first name, last name or email.
</para>
<para>
You can also choose if users can authenticate with classic username/password. In this case, if user doesn't have SPNEGO ticket available,
Keycloak will display login screen and user can fill his Kerberos username and password on login screen. Username/password works also for non-web flows like
Finally you may need to check the Kerberos authenticator correctly configured. You can go to <literal>Authentication</literal> tab in
admin console and select <literal>Browser</literal> flow. Here you will see <literal>Kerberos</literal> authenticator, which is used by Keycloak for SPNEGO
handshake with client (exchange <literal>Negotiate</literal> header etc.). By default it's disabled, so Keycloak doesn't ask for Negotiate header, however once you
configured federation provider in previous step, it's automatically switched to <literal>ALTERNATIVE</literal>. So defacto you don't need to do anything, just
check that it's really switched to Alternative.
</para>
<para>
Alternative means that Keycloak tries to ask browser for Negotiate header, but if it's not available, it will continue on next authenticator (which usually means
displaying username/password form to user). You can switch to <literal>REQUIRED</literal> if you want to enforce login with
kerberos ticket and not allow fallback to username/password form.
<title>Setup and configuration of client machines</title>
<para>
Clients need to install kerberos client and setup krb5.conf as described above. Additionally they need to enable SPNEGO login support in their browser.
See for example <ulinkurl="http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html">this</ulink>
for more info about Firefox. URI <literal>.mydomain.org</literal> must be allowed in <literal>network.negotiate-auth.trusted-uris</literal> config option.
</para>
<para>
In windows domain, clients usually don't need to configure anything special as IE is already able to participate in SPNEGO authentication for the windows domain.
</para>
</section>
<section>
<title>Example setups</title>
<para>
For easier testing with Kerberos, we provided some example setups to test.
</para>
<section>
<title>Keycloak and FreeIPA docker image</title>
<para>
Once you install <ulinkurl="https://www.docker.com/">docker</ulink>, you can run docker image with <ulinkurl="http://www.freeipa.org/">FreeIPA</ulink>
server installed. FreeIPA provides integrated security solution with MIT Kerberos and 389 LDAP server among other things . The image provides
also Keycloak server configured with LDAP Federation provider and enabled SPNEGO/Kerberos authentication against the FreeIPA server.
See details <ulinkurl="https://github.com/mposolda/keycloak-freeipa-docker/blob/master/README.md">here</ulink> .
</para>
</section>
<section>
<title>ApacheDS testing Kerberos server</title>
<para>
For quick testing and unit tests, we use very simple <ulinkurl="http://directory.apache.org/apacheds/">ApacheDS</ulink> Kerberos server.
You need to build Keycloak from sources and then run Kerberos server with maven-exec-plugin from our testsuite. See details
in access token. Application will need to deserialize it and use it for further GSS calls against other services. We have an example, which is showing it in details. It's in <literal>examples/kerberos</literal>
in the Keycloak example distribution or demo distribution download. You can also check the example sources directly <ulinkurl="https://github.com/keycloak/keycloak/blob/master/examples/kerberos">here</ulink> .
If you have issues, we recommend to enable more logging by:
<itemizedlist>
<listitem>
<para>
Enable <literal>Debug</literal> flag in admin console for Kerberos or LDAP federation providers
</para>
</listitem>
<listitem>
<para>
Enable TRACE logging for category <literal>org.keycloak</literal> in logging section of <literal>$WILDFLY_HOME/standalone/configuration/standalone.xml</literal>
to receive more info <literal>$WILDFLY_HOME/standalone/log/server.log</literal>
</para>
</listitem>
<listitem>
<para>
Add system properties <literal>-Dsun.security.krb5.debug=true</literal> and <literal>-Dsun.security.spnego.debug=true</literal>