3.5. Kerberos

This section provides information regarding Kerberos that you need to consider during the migration procedure.

3.5.1. Add Kerberos SPN to Samba on replicas

If you installed Keycloak after you setup Active Directory-compatible Domain Controller on a UCS Replica Directory Node, for example in UCS@school environments, you need to run the command in Listing 3.18 on the UCS Replicate Directory Node to ensure that Kerberos authentication works properly.

Listing 3.18 Add Kerberos SPN to Samba Replicas

$ eval "$(ucr shell)"
$ samba-tool spn add "HTTP/${keycloak_server_sso_fqdn:-ucs-sso-ng.$domainname}"

3.5.2. Migrate the Kerberos filter-subnets settings to Keycloak

In SimpleSAMLphp, you could restrict the Kerberos authentication to certain IP subnets. You can add IP subnetworks to the UCR Variable saml/idp/negotiate/filter-subnets.

New in version 25.0.6-ucs2: Add the filter-subnet settings to Keycloak.

Starting with Keycloak version 25.0.6-ucs2, you can limit authentication to select subnetworks, as well. For information about how to configure it, see Restrict Kerberos authentication to IP subnets.