Showing posts from July, 2015

Authenticating via Kerberos with Keycloak and Windows 2008 Active Directory

The following instructions show you how to configure Keycloak with Windows AD in order to use Kerberos authentication. Assumptions The Kerberos realm is VIRTUAL.LOCALThe hostname used to access Keycloak is virtual.local. This just means we are running Keycloak on the domain controller. In production virtual.local will be replaced with something like or something like that, giving you a SPN of HTTP/ ConfigurationCreate a windows domain account called Keycloak.Run the following command to assign a SPN to the user and generate a keytab file:
ktpass -out keycloak.keytab -princ HTTP/virtual.local@VIRTUAL.LOCAL -mapUser Keycloak@VIRTUAL.LOCAL -pass password1! -kvno 0 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NTVerify the SPN has been assigned to the user with the command:
setspn -l KeycloakConfigure the LDAP settings in Keycloak like this. Since we are running Keycloak on the domain controller, we reference LDAP via the local …