Problem: Browser Displays An HTTP Basic Auth Popup When Authenticating To Keycloak


When Kerberos authentication is configured in Keycloak, it will fall back to password authentication if no kerberos ticket is presented by the browser. When being on an unjoined Windows client on chrome or edge, a popup asking for credentials will be shown. When clicking cancel, the fallback login page for single sign-can be accessed. In simplesamlphp this was configurable by the UCR variable saml/idp/negotiate/filter-subnets. Keycloak doesn’t have such a setting to remove certain IPs from the Kerberos authentication.

We’re planning to make subnet filtering configurable for Kerberos-Auth in Keycloak: Bug 56474 – Make subnet filtering configurable for Kerberos-Auth in Keycloak

For the time being you can use this workaround.


You can disable the Kerberos authentication in Keycloak to circumvent the password authentication and HTTP Basic Auth pop-up.

Log in to the Keycloak admin console and navigate to:
Keycloak Admin Console → UCS Realm → User federation → ldap-provider → Kerberos integration


There you can disable the option Allow Kerberos authentication.

1 Like

This topic was automatically closed after 24 hours. New replies are no longer allowed.