I have a Keycloak with 2 different LDAP Providers which include Kerberos Authentication.
Provider A is on first priority, provider B on second priority. Both provider settings provide their different kerberos realm.
We are talking about two ADs with a domain trust (if that makes any difference).
Logging in with username/password works perfectly fine with both providers.
Logging in with a kerberos ticket only works for provider A on priority 1.
Trying to login with a user of provider B triggers a successful ticket granting to the user machine, but fails at keycloak authentication.
WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-102) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
The keycloak tries to login the user of provider B with kerberos credentials of provider A (priority 1) and fails but does not try provider B anymore.
If provider A and B switch priorities, user B can login using a ticket, but user A fails with the exact same error message.
Is there a way to tell keycloak to try both kerberos realms?
