Keycloak GSS Credential delegation when browser not in AD Domain

Question

I have a Web App that uses Keycloak/OpenID Connect to authenticate a user to an Windows AD.

Users will not be using a browser on a workstation in the Windows AD domain.

The Web App server (Tomcat with Keycloak adapter) is running in the Windows AD domain.

The Web App is configured for Keycloak/OpenID Connect. Keycloak realm is configured to use the Windows AD Kerberos/LDAP.

The user browser forwards to the keycloak login and following a successful login, forwards back to the web app.

The Web App needs to connect to an IBM i using Kerberos ticket/GSS Credential The IBM i is configured for SSO/EIM using the Windows AD. It works.

I configured the Keycloak client for GSS Credential Forwarding.

I try to get the GSS Credential from the Servlet request using the Keycloak client

            // Obtain accessToken in your application.
        KeycloakPrincipal<KeycloakSecurityContext> kcp = (KeycloakPrincipal<KeycloakSecurityContext>)request.getUserPrincipal();
        AccessToken at = kcp.getKeycloakSecurityContext().getToken();
        String username = at.getPreferredUsername();
        wtr.append("Windows User: ").append(username).append(newLine);

        // Retrieve kerberos credential from accessToken and deserialize it

        Map<String, Object> otherClaims = at.getOtherClaims();
        Object otherClaim = otherClaims.get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
        String serializedGSSCred = (String) otherClaim;
        GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(serializedGSSCred);

The "otherClaims" map is empty. So deserializing throws a null pointer exception with the message

org.keycloak.common.util.KerberosSerializationUtils$KerberosSerializationException: Null credential given as input. Did you enable kerberos credential delegation for your web browser and mapping of gss credential to access token?, Java version: 1.8.0_152, runtime version: 1.8.0_152-b16, vendor: Oracle Corporation, os: 6.2
at org.keycloak.common.util.KerberosSerializationUtils.deserializeCredential(KerberosSerializationUtils.java:70)

What am I missing?

Answer 1

As "Users will not be using a browser on a workstation in the Windows AD domain", Keycloak will never receive GSS credentials from browser and so cannot forward them to your Java Web App.

As far as I found in Keycloak documentation Kerberos section, Keycloak does not support Kerberos Constrained Delegation (yet) and so cannot impersonate user - i.e. generate a TGT on behalf on end-user based on its login name.

From my point of view, your Java Web App has to invoke Kerberos Constrained Delegation S4U2Self for impersonation and then request a TGS for expected SPN with S4U2Proxy to autenticate with IBM i service.

You can report to following examples to get that achieved:

• https://github.com/ymartin59/java-kerberos-sfudemo
• https://github.com/tellisnz/collared-kerberos

Answer 2

For the browser to be able to negotiate (SPNEGO) it needs to be on the AD domain (also the delegation needs to be setup at the AD level, using msDS-AllowedToDelegateTo field) in order for the KC to impersonate the user on the backend service. I would expect you get a 401 (Unauthorized) to which your browser cannot respond as it won't be able to get a kerberos ticket. You could in theory do basic authentication against the web server, get a kerberos ticket on your webapp and forward it to the backend...