Description Julia Bremer 2023-08-22 21:53:57 CEST

+++ This bug was initially created as a clone of Bug #49485 +++

When Kerberos authentication is configured in Keycloak, it will fall back to password authentication if no kerberos ticket is presented by the browser.

When being on an unjoined Windows client on chrome or edge, a popup asking for credentials will be shown. When clicking cancel, the fallback login page for single sign-can be accessed.
This can be annoying to customers.

In simplesamlphp this was configurable by the UCR variable/the simpleSAMLphp setting `saml/idp/negotiate/filter-subnets`

Keycloak doesn't have such a setting to remove certain IPs from the Kerberos authentication. 
But it can be archieved using an apache2 configuration in univention-keycloak.conf that removes the www-authenticate header from the request if it comes from a certain IP.

In a project, the following was configured in the
/var/lib/univention-appcenter/apps/keycloak/data/local-univention-keycloak.conf

<If “%{REMOTE_ADDR} -ipmatch ‘10.200.21.0/24’”>
Header unset WWW-Authenticate


If this should be part of the product, we should make this configurable via a setting