Background
When Kerberos authentication is configured in Keycloak, it will fall back to password authentication if no kerberos ticket is presented by the browser. When being on an unjoined Windows client on chrome or edge, a popup asking for credentials will be shown. When clicking cancel, the fallback login page for single sign-can be accessed. In simplesamlphp this was configurable by the UCR variable saml/idp/negotiate/filter-subnets. Keycloak doesn’t have such a setting to remove certain IPs from the Kerberos authentication.
We’re planning to make subnet filtering configurable for Kerberos-Auth in Keycloak: Bug 56474 – Make subnet filtering configurable for Kerberos-Auth in Keycloak
For the time being you can use this workaround.
Workaround
You can disable the Kerberos authentication in Keycloak to circumvent the password authentication and HTTP Basic Auth pop-up.
Log in to the Keycloak admin console and navigate to:
Keycloak Admin Console → UCS Realm → User federation → ldap-provider → Kerberos integration
There you can disable the option Allow Kerberos authentication.
