From e424eea65e13730e677b84bddf03965f79d455a2 Mon Sep 17 00:00:00 2001 From: Ryan Slominski Date: Wed, 22 Feb 2023 09:47:43 -0500 Subject: [PATCH] SPNEGO Warning (#1770) SPNEGO Warning Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com> --- server_admin/topics/authentication/kerberos.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/server_admin/topics/authentication/kerberos.adoc b/server_admin/topics/authentication/kerberos.adoc index 946c304d48..8627306e43 100644 --- a/server_admin/topics/authentication/kerberos.adoc +++ b/server_admin/topics/authentication/kerberos.adoc @@ -16,6 +16,11 @@ A typical use case for web authentication is the following: . If using LDAPFederationProvider with Kerberos authentication support, {project_name} provisions user data from LDAP. If using KerberosFederationProvider, {project_name} lets the user update the profile and pre-fill login data. . {project_name} returns to the application. {project_name} and the application communicate through OpenID Connect or SAML messages. {project_name} acts as a broker to Kerberos/SPNEGO login. Therefore {project_name} authenticating through Kerberos is hidden from the application. +[WARNING] +==== +The https://www.ietf.org/rfc/rfc4559.txt[Negotiate] www-authenticate scheme allows NTLM as a fallback to Kerberos and on some web browsers in Windows NTLM is supported by default. If a www-authenticate challenge comes from a server outside a browsers permitted list, users may encounter an NTLM dialog prompt. A user would need to click the cancel button on the dialog to continue as Keycloak does not support this mechanism. This situation can happen if Intranet web browsers are not strictly configured or if Keycloak serves users in both the Intranet and Internet. A https://github.com/keycloak/keycloak/issues/8989[custom authenticator] can be used to restrict Negotiate challenges to a whitelist of hosts. +==== + Perform the following steps to set up Kerberos authentication: . The setup and configuration of the Kerberos server (KDC).