+++ This bug was initially created as a clone of Bug #49485 +++ When Kerberos authentication is configured in Keycloak, it will fall back to password authentication if no kerberos ticket is presented by the browser. When being on an unjoined Windows client on chrome or edge, a popup asking for credentials will be shown. When clicking cancel, the fallback login page for single sign-can be accessed. This can be annoying to customers. In simplesamlphp this was configurable by the UCR variable/the simpleSAMLphp setting `saml/idp/negotiate/filter-subnets` Keycloak doesn't have such a setting to remove certain IPs from the Kerberos authentication. But it can be archieved using an apache2 configuration in univention-keycloak.conf that removes the www-authenticate header from the request if it comes from a certain IP. In a project, the following was configured in the /var/lib/univention-appcenter/apps/keycloak/data/local-univention-keycloak.conf <If “%{REMOTE_ADDR} -ipmatch ‘10.200.21.0/24’”> Header unset WWW-Authenticate If this should be part of the product, we should make this configurable via a setting
An other customer needs that 2024020621000268
Another customer that needs to disable kerberos authentication or apply the workaround: 2024021521000134
Seem to affect more customers, so I increase the affected customers, and regarding to the not working workaround I am inclined to increase the feel about "flag", because with 5.2 this might get a blocking issue?
In addition to the already mentioned workflow when logging in through the browser I noticed another and slightly more annoying behaviour. Customers are using MS365 also to give access to local installable apps like MS Office, To install these appes one has to configure a "Microsoft account" using the "access to work or school account". The first step to to provide the mail-address which is loked to the MS365-Account. If this is found one will be redirected to the IDP. This presents the mentioned popup. The user has to provide at least a username in this dialog and click "OK" to proceed. In case the dialog is canceled the missing authentication leads to a HTTP 401 error and the connection wizard is stopped. Note : it doesnt matter if the username/password entered here is valid or not.
root@dn1:~# cat /var/lib/univention-appcenter/apps/keycloak/data/local-univention-keycloak.conf <If "! (-R '10.0.0.0/8') || (-R '172.16.0.0/12') || (-R '192.168.0.0/16')"> Header unset WWW-Authenticate </If> This configuration appears to disable the Kerberos-Auth for external clients. I could not verify yet that it works for internal machines but it looks like it would work. My current setup displays the login dialog as expected when the Kerberos configuration isnt working.
The workaround using "Header unset WWW-Authenticate" has a major drawback. With this it not possible anymore to connect a "Microsoft Account" ("Access to work or school") with clients outside the internal network. School customers are using this to provide Office licenses to their teachers and students.
Successful build Package: univention-keycloak Version: 1.0.13-2 Branch: 5.0-0 Scope: errata5.0-9 User: jbremer 658a577725 Bug #56474: Add kerberos conditional auth tests 746f93b050 Bug #56474: Enable univention-keycloak to update an existing flow to add f59b6f94c6 remove obsolte cron job (Bug #36928)
QA: OK: univention-keycloak script can add new subnet filtering condition to Keycloak auth flow OK: subnet filtering condition in Keycloak can be used to exclude ip ranges from using kerberos OK: advisories OK: new test scenarios OK: successful package builds OK: ucs-test run OK: 5.0-9, 5.1-0, 5.2-0
<https://errata.software-univention.de/#/?erratum=5.0x1172>