Today I tried to update one of our Keycloaks from version 12 to 18. Everything looked good except Kerberos login. I am using the exact same keytab file I used in KC version 12 but in version 18 I do get this:
May 24 23:18:36 kc001.linux.mydomain.at kc.sh[8164]: 2022-05-24 23:18:36,996 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-2) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
Any ideas what might be the cause?
Cheers, Ronald
On 24.05.22 23:47, Ronald Wimmer via FreeIPA-users wrote:
Today I tried to update one of our Keycloaks from version 12 to 18. Everything looked good except Kerberos login. I am using the exact same keytab file I used in KC version 12 but in version 18 I do get this:
May 24 23:18:36 kc001.linux.mydomain.at kc.sh[8164]: 2022-05-24 23:18:36,996 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-2) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
Any ideas what might be the cause?
After I reverted to the snapshot I took before the same problem appeared. Obviously, it has nothing to do with the Keycloak update. I need to investigate where the "checksum failed" error comes from.
Cheers, Ronald
On 25.05.22 09:26, Ronald Wimmer via FreeIPA-users wrote:
On 24.05.22 23:47, Ronald Wimmer via FreeIPA-users wrote:
Today I tried to update one of our Keycloaks from version 12 to 18. Everything looked good except Kerberos login. I am using the exact same keytab file I used in KC version 12 but in version 18 I do get this:
May 24 23:18:36 kc001.linux.mydomain.at kc.sh[8164]: 2022-05-24 23:18:36,996 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-2) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
Any ideas what might be the cause?
After I reverted to the snapshot I took before the same problem appeared. Obviously, it has nothing to do with the Keycloak update. I need to investigate where the "checksum failed" error comes from.
After freeing Firefox from its snap prison I tried again and the problem vanished. This is just a coincidence as I verified the problem from a windows host yesterday.
What I really need to know is what can cause such a checksum error? Any ideas?
Cheers, Ronald
On 25.05.22 16:27, Ronald Wimmer via FreeIPA-users wrote:
On 25.05.22 09:26, Ronald Wimmer via FreeIPA-users wrote:
On 24.05.22 23:47, Ronald Wimmer via FreeIPA-users wrote:
Today I tried to update one of our Keycloaks from version 12 to 18. Everything looked good except Kerberos login. I am using the exact same keytab file I used in KC version 12 but in version 18 I do get this:
May 24 23:18:36 kc001.linux.mydomain.at kc.sh[8164]: 2022-05-24 23:18:36,996 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-2) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
Any ideas what might be the cause?
After I reverted to the snapshot I took before the same problem appeared. Obviously, it has nothing to do with the Keycloak update. I need to investigate where the "checksum failed" error comes from.
After freeing Firefox from its snap prison I tried again and the problem vanished. This is just a coincidence as I verified the problem from a windows host yesterday.
What I really need to know is what can cause such a checksum error? Any ideas?
I read something that enabling preauth could help in such authentication matters but honestly I doubt that.
Has anyone had similar problems and could point me in the right direction?
Cheers, Ronald
freeipa-users@lists.fedorahosted.org