Problem: Keycloak SSO login failures in UCS

Knowledge Base Community
, , , ,
1

Keycloak SSO login failures in UCS and incorrect DNS configuration

Problem:

In a UCS environment, Windows clients are configured via Group Policy Objects (GPOs) to open two predefined browser start pages (for example UCS Portal and UCS Management Console) after login.

As a result, two Single Sign-On (SSO) authentication requests are sent in parallel to Keycloak using the same user account.

Sporadically, one of these authentication attempts fails and the following error message is displayed in the Keycloak login window:

An internal server error has occurred

05/Nov/2025:13:29:08 +0100] "GET /realms/ucs/protocol/saml?SAMLRequest=zVdZk6LKEn7vX2F4Ho0eARXRmO4TxaagiOzIG5uArFKs%2FvqDOtPRM2eJmft0H4ywcvkq88vMSv36Z5cmo8YvYZRnb2
P0CzL%2B8%2F3lK7TTpFiDugoz2b%2FWPqxGg10G1x58G4dVVayn07Ztv7SzL3kZTDEEQabIajrYeDAK%2Fhh%2Fs77DvI3rMlvnNozgOrNTH64rd60AYb%2FGviBrG0K%2FrIa7P7sU%2F%2B1TlHmVu3kyHnH02zjyXueWFYcrLYP9zo%2FM3bIaj%2FTvGQ0Ogx2Etc9lsLKzahA
h2OIVRV%2BRhYpia5RYz1bWeEQPSUaZXT287inCIcfaha8Q5q9Z8CWNyvxLlFWlnfnVtPTtJIV3%2FfR7ONN76OPR8duRjDIvyoL%2FTsV5GsH1VlWPr0dRUccj8J0SKs9gnfql4pdN5PqavP8hsEVRRqld9j9FVmdR42d3%2F0dA00dETeT55WG4%2Fm2sCdTIrkb%2FCjB%2Bf1R%
2F%2FeCsHLF5mdrVf2dxlwxlOD9M1%2FfLq378%2Fvuhpn5le3Zlf51%2BiuD9qwfXShQMpalLf8R5b%2BOPEzr%2B0Poel53zx5GyszyLXDuJbo9yCn4V5t4IJEFeRlWY%2FksHo1MUuXfwq9%2B5ry46z%2F4YT3%2B8%2FBeBfhiFEtqvMLTRb1iyf%2FZLP3P9kSZzb%2BM%2F%
2FrF7H5bqwBG8Uwp%2FPP7e9X7W%2BEle%2BN4r%2FJ7Ft0h%2BHfCfiZn%2BPUY6CoYh%2Bl9Y%2BsTQE0S3k9p%2FP17FVpO1epCcGmzpNFuUybMThDp8ewTw2fgh%2BOD3efypMz4q%2BfQgrb4MspWISuH5olWpwhQ2dsrCXg3Jkpg4VsybJgFjNRiCRFsRTZWgPfmE7WFu3jPB
y6SOsGtEw63Cy0lt4%2B1FNuh9VoBDG9AEBsv%2BdGh7OS5vvgOOiLYzDuJJPYvC5mgGTBy8dLwz5TMEVirMsOjgGjttT%2FKxRZXnQ5eAJX7tbfQWt46BpA5usC7SnGJxJm1yVCgX8%2BYln11zKRKKpV0xaoES0qGb7wrcmK9S1qE3s8KqcY8IuPMqQnb48aJW08lUpy8oQNXagdQ
Lf0xbdF9SSz0%2FK8Ws1ze60HjXRpvN2ds5rqiK3kU4zxB0WSRi7RULbQfySefQNDW1bs6LZdKBSkMWyoaUZra%2FTK9eAd7ePvj%2FRPi9Bju%2F%2F6iHuUBW9DDwHwfq%2FvKdh9mt%2FHeB41hDpSiS2QSg5UgQDB8VHMggvoZxtFm1CAkkyAKaIlua2Qsg3gBUY8hQoGRG66gb
4MngoA%2BOKohlVpBgS0knWpekLdPyjKwyqjCA332oUNh5xqLwUr32NknjXJhYoLinrhMc%2FbMuImlnxrfDJ%2FQ2WqBhej%2FoekHNWxE88GnmxupOmmCWsUBsY1VzzKFxM7JxUxaxFFK1TB6zTC7Q0lXjUSQtKSBXNGk14BxllZ%2FJDFMICmi3wYnf5RYXNu4BSDHJhuzNxTrgG
Env9IvCyeT%2BZCwSjwY%2B2yK9cAML4eJ2wk3CDrRu32UifZdpHzKB2%2BSfuNh84%2BKDP4r8mT%2F3yZ8stMzTZ8e0Bfo5P0GRWi546PZMV%2F1K7h13AcETX1A3pn5xb3rrpkl1MvnFPkULNyVqe8AY%2FGrLlDpuyPFz7SmJMRjzcHMYsrJNvtmnSe1t%2BdBJdWToHXLA%2F6
lXGBYAkQISAe56KtgN3xmALWp%2FMXcSEp%2FdDGq3wM9Tlzdbs5ksk7mUn2kQsAdejCeXeSAduaONd5NQ2LYcrQnMdiIEtVNi0NAq9zQBIGLJqt8v%2FcW1c7BtpHXxio5byQg1iZ0kVLDaYXttd6gnGrP05JtrNpiCWMUmOoJidmyQ7hoiSUcjDayWyiGZsK4l2zNFOYnexLr420n
El5W9Ik7XJTZlh%2Be9oQUNUL0Vo5PtoWn3eEvYU3xjeAaAUs3OUN3Ba727kMuyvhnRlUC4ypWCjm%2F5sBXjoyNNUgsy2j6qZaQzuGl5rdS%2B8lh8ZRkmG01Btmhqv2%2FT5f7q71F235QLz2h7zK57GfS07u9PNiSQRiqXS4ZQ6c47ttJQLQmQ%2BZwj3QtFAWP%2B7DcZUUnAtY
AG3r32W2nOsIGk8XOzMlNmIsV7c8Lh2xN%2FIiKNmMl13gYBAx62isAE56ANzgZg6RkRb2psl22KAqmv%2BO6yFGXdsSeJm5%2B2m4Lb0gK3Bf8PfS5ewPx7nwu6XtumlQxzWzjY0E%2FYqnc3q%2F5kygnHHhI3sxI3IhUHWyEDHslRIS%2FTKGZpK1bIPEZS4t%2BagyCUdhaX4Rm
HxVMiPzo4H%2BWcHWBUPbldwP5ZA4IZYqNIH7TCs0YySeXtjuMszzjcDibZ2wYaullc%2F%2B3d4bj9TzYtLX1%2Bs5g9KQF6qCEJ2LMeDDfOUl28eCwCDlzEqNsLf26gihunskpPvbCd63Qxa6Odjts4t3KSljS24cyRtHnFYOC4X9WXq6y46gI5Ubx33J676%2B1aszah%2BGKw0G
rJ7xkI1GsROf2MjHBfE8s5SXCGqtYS2h3P8azw8XmEhVrSJJRRTPAlTHuCjayGTahjUA7DhUUoBoJoMuNcXl%2Fymauo4mxhGsotq3gplDexu8pV8wiyJhDTItwtunNLVUi7XHUhO%2BM9UTR5Jgy92qH8jdUdiUh0Y8o1iEVCXDqd56BYJ%2Bi8MgKhPuwZCW%2BnGl%2BKB%2BU6L
F5DLYgALSZwlS9yEqVoYzanM5hFWbxtskjtwI1pe7yhW6XWnov25%2BX5IXyu1%2BnnxfvDYn5%2F%2Ftj%2B8c%2Fe%2B8tf&RelayState=%2Funivention%2Fportal%2F&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=kq
MUoS1K9HcqqRPkqKnmVYm6tP5QAlyiAdCo1BE9ea1g473wUbFvMLoeix4LIphs5R94cfo%2FDarvE6wFwZ8cSFxpS%2FiSA2%2FFt6CSjq51pZUTEtN8oEW8yUME3Pdn1Gp39xEMzsWHbJYh%2FXOyustHs5CAOiV1pNhY1sayZdJW5zefC%2Btu7Th8k3aIUXcrF5xoECJO0iehRtB
J3%2FZl2l3zCIJvGUjYGMeLhrsl79KZ8HgIs7hQV%2BzNfNEw6o4SjcGNjSFpg4g2drnG%2FCj1HUA0oB2%2B8MueyfanDfX8%2BDhu4by8tb%2BqVqD9i4rN2si7pdid%2FvUw2NLYQCo5MH5fg%2Fsnwg%3D%3D HTTP/1.1" 503 602 "-" "Mozilla/5.0 (Windows NT 10
.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36 Edg/142.0.0.0"
ucs-sso-ng.miro.intranet:443 10.200.30.112

Environment

  • Windows clients with browser start pages configured via GPO
  • Keycloak-based SSO (ucs-sso-ng)
  • Multiple UCS Domain Controllers (DC Primary and DC Backup)
  • Keycloak installed only on the DC Primary

Investigation:

Successful Login

In a successful scenario, both SAML authentication requests are routed to a system where Keycloak is installed and running. The Apache access log shows a complete SAML flow followed by successful access to both the UCS Portal and UMC.

Failed Login

In the failing scenario, the initial SAML redirects are visible, but one authentication request ends with an HTTP 503 Service Unavailable response from the Keycloak endpoint.

Further investigation on the affected Windows client showed that the DNS name configured for Keycloak resolves to multiple IP addresses.

Example:

  • UCR variable: keycloak/server/sso/fqdn
  • Value: ucs-sso-ng.miro.intranet
  • DNS resolution:

udm dns/host_record list --filter relativeDomainName=ucs-sso-ng

relativeDomainName=ucs-sso-ng
DN: relativeDomainName=ucs-sso-ng,zoneName=miro.intranet,cn=dns,dc=miro,dc=intranet
  a: 10.200.30.100
  a: 10.200.30.101
  name: ucs-sso-ng
  univentionObjectIdentifier: 3420d4e0-8a36-103f-8d2f-5b6e9c93c0c2
  zonettl: 80600 seconds
  • 10.200.30.100 (DC Primary – Keycloak installed)
  • 10.200.30.101 (DC Backup – no Keycloak installed)

Depending on the DNS response, the browser may contact a system where Keycloak is not available, resulting in a 503 error.

This behavior becomes more apparent when multiple SSO requests are triggered in parallel.

Root Cause:

The DNS host record for the Keycloak SSO FQDN contains multiple A records pointing to different UCS systems, while Keycloak is installed only on a subset of them.

Authentication requests routed to systems without Keycloak fail with HTTP 503.

This is a behavioral difference compared to earlier SimpleSAMLphp-based setups, where authentication could be handled transparently on all domain controllers.

Solution:

Ensure that the Keycloak SSO FQDN resolves only to systems where Keycloak is installed and running.

Recommended Configuration

  • If Keycloak is installed on a single system:

    • Configure the DNS host record with exactly one A record pointing to that system.

  • If high availability is required:

    • Install and properly configure Keycloak on all systems referenced by the DNS record.

Hint:
Feedback from the case:

Since the update to UCS 5.2-4 and Keycloak 26.4.7-ucs1, the problem is resolved.

Verification

After correcting the DNS configuration:

  • Parallel SSO logins via multiple browser start pages work reliably.
  • No further HTTP 503 responses are logged by Keycloak or Apache.
  • The Keycloak internal server error message no longer appears.

Additional Information

When using Keycloak as the central SSO component in UCS, DNS configuration and service placement must be aligned carefully, especially in multi-DC environments.