Configuring Kerberos and Single SignOn with SV 10.5 facing Exceptions


Article ID: 141162


Updated On:


CLOUDTEST CA Application Test CA Cloud Test Mobile MOBILECLOUD Service Virtualization


Customer has IAM, Enterprise Dashboard, Registry and Portal running - All 10.5.

We are still in the process of configuring their IAM with LDAP.

When looking at our next steps, we discussed we will need to change some configuration in the browser and customer mentioned the users should not have permissions to change the security settings in the browser.

He also added that they authenticate to the computer using a smart card. They do not enter a username and password.

It looks like the information from the smartcard is translated to a username/password in the Active Directory side, and this information will be passed in the request header being sent in the browser.

Should that work fine? Is there a different step to follow if a user cannot change the security settings in the browser?

We are following the documentation.
While configuring LDAP + Kerberos to enable single sign on I am facing the following exception:

2019-10-02 10:35:20,347 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-26) SPNEGO login failed: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
at Method)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(
at org.keycloak.credential.UserCredentialStoreManager.authenticate(
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(
at org.keycloak.authentication.AuthenticationProcessor.authenticate(
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(
... 81 more
2019-10-02 10:35:20,362 INFO  [stdout] (default task-26) [Krb5LoginModule]: Entering logout
2019-10-02 10:35:20,362 INFO  [stdout] (default task-26) [Krb5LoginModule]: logged out Subject


Release : 10.5

Component : CA Application Test


As suggested set the following values for "network.negotiate-auth.trusted-uris" in the Firefox browser:,,

Basically we should specify a comma-delimited list of trusted domain(s) and/or hostname(s) and/or URL prefix(es) in the popup window.

Please note that domains can wild carded by specifying a domain suffix with a dot in front (i.e

Example #1: - Fully Qualified Domain Name (FQDN) of the host running web application(IAM/Keycloak).
Example #2: - URL of the web application application(IAM/Keycloak)
Example #3: - domain name

Also, make sure that you have the following configured in your Firefox browser for the Kerberos to work:

network.negotiate-auth.allow-non-fqdn = false
network.negotiate-auth.allow-proxies = true
network.negotiate-auth.delegation-uris = Include the local intranet domain name, such as, where the leading period represents a wildcard character
network.negotiate-auth.using-native-gsslib = true

Additional Information

Please refer to the Auto login section in the for configuring Kerberos: