SPNEGO Warning (#1770)
SPNEGO Warning Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>
This commit is contained in:
parent
2352a7d3ea
commit
e424eea65e
1 changed files with 5 additions and 0 deletions
|
@ -16,6 +16,11 @@ A typical use case for web authentication is the following:
|
||||||
. If using LDAPFederationProvider with Kerberos authentication support, {project_name} provisions user data from LDAP. If using KerberosFederationProvider, {project_name} lets the user update the profile and pre-fill login data.
|
. If using LDAPFederationProvider with Kerberos authentication support, {project_name} provisions user data from LDAP. If using KerberosFederationProvider, {project_name} lets the user update the profile and pre-fill login data.
|
||||||
. {project_name} returns to the application. {project_name} and the application communicate through OpenID Connect or SAML messages. {project_name} acts as a broker to Kerberos/SPNEGO login. Therefore {project_name} authenticating through Kerberos is hidden from the application.
|
. {project_name} returns to the application. {project_name} and the application communicate through OpenID Connect or SAML messages. {project_name} acts as a broker to Kerberos/SPNEGO login. Therefore {project_name} authenticating through Kerberos is hidden from the application.
|
||||||
|
|
||||||
|
[WARNING]
|
||||||
|
====
|
||||||
|
The https://www.ietf.org/rfc/rfc4559.txt[Negotiate] www-authenticate scheme allows NTLM as a fallback to Kerberos and on some web browsers in Windows NTLM is supported by default. If a www-authenticate challenge comes from a server outside a browsers permitted list, users may encounter an NTLM dialog prompt. A user would need to click the cancel button on the dialog to continue as Keycloak does not support this mechanism. This situation can happen if Intranet web browsers are not strictly configured or if Keycloak serves users in both the Intranet and Internet. A https://github.com/keycloak/keycloak/issues/8989[custom authenticator] can be used to restrict Negotiate challenges to a whitelist of hosts.
|
||||||
|
====
|
||||||
|
|
||||||
Perform the following steps to set up Kerberos authentication:
|
Perform the following steps to set up Kerberos authentication:
|
||||||
|
|
||||||
. The setup and configuration of the Kerberos server (KDC).
|
. The setup and configuration of the Kerberos server (KDC).
|
||||||
|
|
Loading…
Reference in a new issue