SPNEGO Warning (#1770)

SPNEGO Warning


Co-authored-by: andymunro <48995441+andymunro@users.noreply.github.com>

server_admin/topics/authentication/kerberos.adoc

@@ -16,6 +16,11 @@ A typical use case for web authentication is the following:
 . If using LDAPFederationProvider with Kerberos authentication support, {project_name} provisions user data from LDAP. If using KerberosFederationProvider, {project_name} lets the user update the profile and pre-fill  login data.
 . {project_name} returns to the application. {project_name} and the application communicate through OpenID Connect or SAML messages. {project_name} acts as a broker to Kerberos/SPNEGO login. Therefore {project_name} authenticating through Kerberos is hidden from the application.
 
+[WARNING]
+====
+The https://www.ietf.org/rfc/rfc4559.txt[Negotiate] www-authenticate scheme allows NTLM as a fallback to Kerberos and on some web browsers in Windows NTLM is supported by default.  If a www-authenticate challenge comes from a server outside a browsers permitted list, users may encounter an NTLM dialog prompt.  A user would need to click the cancel button on the dialog to continue as Keycloak does not support this mechanism.  This situation can happen if Intranet web browsers are not strictly configured or if Keycloak serves users in both the Intranet and Internet.  A https://github.com/keycloak/keycloak/issues/8989[custom authenticator] can be used to restrict Negotiate challenges to a whitelist of hosts.
+====
+
 Perform the following steps to set up Kerberos authentication:
 
 . The setup and configuration of the Kerberos server (KDC).