As per this doc and as its item 4 says:
renders the HTML login screen with status 401 and HTTP header WWW-Authenticate: Negotiate.
In the meantime, I don't see anything like this in the response of my keycloak (WWW-Authenticate header is not present).
User federation was set up along with krb5.conf and all things on AD side (SPN, keytab, correct principal, etc). Moreover, if I set option "Use Kerberos for password" I can see in debug logs it really uses Kerberos for password check and perform it successfully. I mean I can login with my account name and password provided manually.
It makes me think that something wrong in keycloak settings rather than in AD or keytab, but I really can't get where the problem is and how to get users to login transparantly. May I miss something significant?
Additionally, after redirect to keycloak login form, I can find an exception in logs:
WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-117) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
I use Chrome, and have done all necessary things to add keycloak's hostname to auth-server-whitelist.
Keycloak's URL: https://auth.company.com
AD domain: DOMAIN.LOCAL
Server principal: HTTP/[email protected]
In the TRACE output I found some interesting lines:
2023-07-31 09:57:21,366 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (executor-thread-2) invoke authenticator.authenticate: auth-spnego
2023-07-31 09:57:21,366 TRACE [org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (executor-thread-2) Sending back WWW-Authenticate: Negotiate
But why the WWW-Authenticate actually keeps not showing up in headers of the /realms/{my realm}/protocol/openid-connect/auth page?
Please help.