Initial situation:
3 UCS test servers in a local network.
1.) ucs-6942: one Primary Directory Node with the apps:
- Active Directory-kompatibler Domaincontroller
- Admin Diary Backend
- Admin Diary Frontend
- OnlyOffice Docs
- Self Service
- Self Service Backend
- PostgreSQL 11.22
2.) papa: a managed node with the apps:
- Let’s Encrypt
- Nextcloud Hub
- OnlyOffice Docs
- OpenProject
- PostgreSQL 11.2
3.) mail: a backup directory node
- Fetchmail
- Mailserver
- Ox App Suite
- OX Connector
- PostgreSQL 11.2
The lokale domain: opa.intranet
Software: UCS Version 5.0-6 errata982
Reproducing the error
- install Keycloak version 24.0.3-ucs1
- start this app (log in with administrator account of the UCS); the URL: https://ucs-sso-ng.opa.intranet/admin/master/console/
- switch from realm “Master” to “UCS”
- select “Clients” in the left column
- select e.g. the client ID “account”
- select the “Client scopes” tab in the “Client details” window
- the following error message appears: “Network response was not OK.” (see image)
There is no further information on the displayed problem in the Keycloak GUI.
Switch the realm back to “Master”; then you can repeat the above error as often as you like.
Output of the diffent log files
docker logs keycloak:
root@ucs-6942:/var/lib/univention-appcenter/apps/keycloak# docker logs keycloak
Changes detected in configuration. Updating the server image.
Updating the configuration and installing your custom providers, if any. Please wait.
2024-05-15 07:14:44,543 WARN [org.key.qua.run.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
- proxy: Use proxy-headers.
Consult the Release Notes for details.
2024-05-15 07:15:00,247 WARN [org.key.services] (build-49) KC-SERVICES0047: univention-saml-user-attribute-nameid-mapper-base64 (de.univention.keycloak.UniventionUserAttributeNameIdMapperBase64) is implementing the internal SPI protocol-mapper. This SPI is internal and may change without notice
2024-05-15 07:15:00,252 WARN [org.key.services] (build-49) KC-SERVICES0047: freemarker (de.univention.keycloak.UniventionFreeMarkerLoginFormsProviderFactory) is implementing the internal SPI login. This SPI is internal and may change without notice
2024-05-15 07:15:00,553 WARN [org.key.services] (build-49) KC-SERVICES0047: univention-app-authenticator (de.univention.keycloak.UniventionAppAuthenticatorFactory) is implementing the internal SPI authenticator. This SPI is internal and may change without notice
2024-05-15 07:15:01,277 WARN [org.key.services] (build-49) KC-SERVICES0047: UNIVENTION_UPDATE_PASSWORD (de.univention.keycloak.UniventionUpdatePasswordFactory) is implementing the internal SPI required-action. This SPI is internal and may change without notice
2024-05-15 07:15:01,277 WARN [org.key.services] (build-49) KC-SERVICES0047: UNIVENTION_SELF_SERVICE (de.univention.keycloak.UniventionSelfServiceFactory) is implementing the internal SPI required-action. This SPI is internal and may change without notice
2024-05-15 07:15:01,455 WARN [org.key.services] (build-49) KC-SERVICES0047: univention-ldap-mapper (de.univention.keycloak.UniventionUserAccountControlStorageMapperFactory) is implementing the internal SPI ldap-mapper. This SPI is internal and may change without notice
2024-05-15 07:15:06,654 WARN [io.qua.arc.dep.SplitPackageProcessor] (build-39) Detected a split package usage which is considered a bad practice and should be avoided. Following packages were detected in multiple archives:
- "de.univention.keycloak" found in [/opt/keycloak/lib/../providers/univention-app-authenticator-1.0.jar, /opt/keycloak/lib/../providers/univention-ldap-mapper-1.0.jar, /opt/keycloak/lib/../providers/univention-user-attribute-nameid-mapper-base64-1.0.jar]
2024-05-15 07:15:52,752 INFO [io.qua.dep.QuarkusAugmentor] (main) Quarkus augmentation completed in 61903ms
Server configuration updated and persisted. Run the following command to review the configuration:
kc.sh show-config
Next time you run the server, just run:
kc.sh start --hostname=ucs-sso-ng.opa.intranet --http-enabled=true --proxy=edge --optimized
2024-05-15 09:16:02,003 WARN [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
- proxy: Use proxy-headers.
Consult the Release Notes for details.
2024-05-15 09:16:10,449 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-05-15 09:16:13,146 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: ucs-sso-ng.opa.intranet, Strict HTTPS: true, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-05-15 09:16:15,792 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `jdbc-ping-tcp`
2024-05-15 09:16:15,797 INFO [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 890fc406-44ce-49ec-bf8c-76ab5f794df1, name: 6aee532dfb8e-227
2024-05-15 09:16:15,969 INFO [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.57600
2024-05-15 09:16:16,693 INFO [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) 6aee532dfb8e-227: no members discovered after 676 ms: creating cluster as coordinator
2024-05-15 09:16:17,291 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [6aee532dfb8e-227|0] (1) [6aee532dfb8e-227]
2024-05-15 09:16:17,879 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `6aee532dfb8e-227`, physical addresses are `[192.168.0.202:7600]`
2024-05-15 09:16:18,078 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-05-15 09:16:31,333 WARN [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
2024-05-15 09:16:31,520 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: 6aee532dfb8e-227, Site name: null
2024-05-15 09:16:38,013 INFO [org.keycloak.quarkus.runtime.storage.legacy.liquibase.QuarkusJpaUpdaterProvider] (main) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml
UPDATE SUMMARY
Run: 124
Previously run: 0
Filtered out: 0
-------------------------------
Total change sets: 124
2024-05-15 09:17:00,029 INFO [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-05-15 09:17:00,356 INFO [org.keycloak.services] (main) KC-SERVICES0050: Initializing master realm
2024-05-15 09:17:17,515 INFO [io.quarkus] (main) Keycloak 24.0.3 on JVM (powered by Quarkus 3.8.3) started in 83.348s. Listening on: http://0.0.0.0:8180
2024-05-15 09:17:17,526 INFO [io.quarkus] (main) Profile prod activated.
2024-05-15 09:17:17,526 INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]
2024-05-15 09:17:20,395 INFO [org.infinispan.CLUSTER] (Thread-9) ISPN000080: Disconnecting JGroups channel `ISPN`
2024-05-15 09:17:20,616 WARN [com.arjuna.ats.jta] (main) ARJUNA016045: attempted rollback of < formatId=131077, gtrid_length=35, bqual_length=36, tx_uid=0:ffffac100102:aa03:66446169:19, node_name=quarkus, branch_uid=0:ffffac100102:aa03:66446169:1c, subordinatenodename=null, eis_name=0 > (io.agroal.narayana.LocalXAResource@4ea0ec5e) failed with exception code XAException.XAER_RMERR: javax.transaction.xa.XAException: Error trying to transactionRollback local transaction: This connection has been closed.
at io.agroal.narayana.XAExceptionUtils.xaException(XAExceptionUtils.java:20)
at io.agroal.narayana.XAExceptionUtils.xaException(XAExceptionUtils.java:8)
at io.agroal.narayana.LocalXAResource.rollback(LocalXAResource.java:89)
at com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelAbort(XAResourceRecord.java:338)
at com.arjuna.ats.arjuna.coordinator.BasicAction.doAbort(BasicAction.java:3112)
....
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:62)
at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:33)
Caused by: org.postgresql.util.PSQLException: This connection has been closed.
at org.postgresql.jdbc.PgConnection.checkClosed(PgConnection.java:1009)
at org.postgresql.jdbc.PgConnection.rollback(PgConnection.java:1016)
at io.agroal.pool.ConnectionHandler.transactionRollback(ConnectionHandler.java:354)
at io.agroal.narayana.LocalXAResource.rollback(LocalXAResource.java:86)
... 39 more
2024-05-15 09:17:20,639 WARN [io.agroal.pool] (main) Datasource '<default>': This connection has been closed.
2024-05-15 09:17:20,646 ERROR [org.keycloak.services] (main) KC-SERVICES0011: Failed to add user 'admin' to realm 'master' [Error Occurred After Shutdown]: org.keycloak.models.ModelException: org.hibernate.query.sqm.InterpretationException: Error interpreting query [Cannot invoke "org.hibernate.jpa.spi.JpaCompliance.isJpaQueryComplianceEnabled()" because "this.jpaCompliance" is null] [select count(u) from UserEntity u where u.realmId = :realmId and (u.serviceAccountClientLink is null)] [select count(u) from UserEntity u where u.realmId = :realmId and (u.serviceAccountClientLink is null)]
at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:99)
at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:64)
...
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:62)
at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:33)
Caused by: org.hibernate.query.sqm.InterpretationException: Error interpreting query [Cannot invoke "org.hibernate.jpa.spi.JpaCompliance.isJpaQueryComplianceEnabled()" because "this.jpaCompliance" is null] [select count(u) from UserEntity u where u.realmId = :realmId and (u.serviceAccountClientLink is null)] [select count(u) from UserEntity u where u.realmId = :realmId and (u.serviceAccountClientLink is null)]
at org.hibernate.query.hql.internal.StandardHqlTranslator.translate(StandardHqlTranslator.java:94)
at org.hibernate.query.sqm.internal.QuerySqmImpl.lambda$new$0(QuerySqmImpl.java:173)
at org.hibernate.query.internal.QueryInterpretationCacheStandardImpl$1.translate(QueryInterpretationCacheStandardImpl.java:111)
at org.hibernate.query.internal.QueryInterpretationCacheStandardImpl.createHqlInterpretation(QueryInterpretationCacheStandardImpl.java:165)
at org.hibernate.query.internal.QueryInterpretationCacheStandardImpl.resolveHqlInterpretation(QueryInterpretationCacheStandardImpl.java:147)
at org.hibernate.query.internal.QueryInterpretationCacheStandardImpl.resolveHqlInterpretation(QueryInterpretationCacheStandardImpl.java:107)
at org.hibernate.query.sqm.internal.QuerySqmImpl.<init>(QuerySqmImpl.java:170)
at org.hibernate.query.hql.internal.NamedHqlQueryMementoImpl.toQuery(NamedHqlQueryMementoImpl.java:154)
at org.hibernate.internal.AbstractSharedSessionContract.createSqmQueryImplementor(AbstractSharedSessionContract.java:1121)
at org.hibernate.internal.AbstractSharedSessionContract.lambda$buildNamedQuery$6(AbstractSharedSessionContract.java:1091)
at org.hibernate.internal.AbstractSharedSessionContract.buildNamedQuery(AbstractSharedSessionContract.java:1075)
at org.hibernate.internal.AbstractSharedSessionContract.buildNamedQuery(AbstractSharedSessionContract.java:1089)
at org.hibernate.internal.AbstractSharedSessionContract.createNamedQuery(AbstractSharedSessionContract.java:975)
at org.hibernate.internal.SessionImpl.createNamedQuery(SessionImpl.java:198)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)
at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:62)
... 33 more
Caused by: java.lang.NullPointerException: Cannot invoke "org.hibernate.jpa.spi.JpaCompliance.isJpaQueryComplianceEnabled()" because "this.jpaCompliance" is null
at org.hibernate.query.hql.internal.SqmPathRegistryImpl.register(SqmPathRegistryImpl.java:76)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitRootEntity(SemanticQueryBuilder.java:1966)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitRootEntity(SemanticQueryBuilder.java:269)
at org.hibernate.grammars.hql.HqlParser$RootEntityContext.accept(HqlParser.java:2549)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitEntityWithJoins(SemanticQueryBuilder.java:1914)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitFromClause(SemanticQueryBuilder.java:1901)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitQuery(SemanticQueryBuilder.java:1148)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitQuerySpecExpression(SemanticQueryBuilder.java:941)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitQuerySpecExpression(SemanticQueryBuilder.java:269)
at org.hibernate.grammars.hql.HqlParser$QuerySpecExpressionContext.accept(HqlParser.java:1869)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitSimpleQueryGroup(SemanticQueryBuilder.java:926)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitSimpleQueryGroup(SemanticQueryBuilder.java:269)
at org.hibernate.grammars.hql.HqlParser$SimpleQueryGroupContext.accept(HqlParser.java:1740)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitSelectStatement(SemanticQueryBuilder.java:443)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitStatement(SemanticQueryBuilder.java:402)
at org.hibernate.query.hql.internal.SemanticQueryBuilder.buildSemanticModel(SemanticQueryBuilder.java:311)
at org.hibernate.query.hql.internal.StandardHqlTranslator.translate(StandardHqlTranslator.java:71)
... 51 more
2024-05-15 09:17:20,657 INFO [io.quarkus] (Shutdown thread) Keycloak stopped in 0.510s
2024-05-15 09:17:27,736 WARN [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
- proxy: Use proxy-headers.
Consult the Release Notes for details.
2024-05-15 09:17:31,975 INFO [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-05-15 09:17:33,427 INFO [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: ucs-sso-ng.opa.intranet, Strict HTTPS: true, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-05-15 09:17:34,554 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `jdbc-ping-tcp`
2024-05-15 09:17:34,582 INFO [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 5f00d836-8a07-4b84-9a0a-66905465758a, name: 6aee532dfb8e-26819
2024-05-15 09:17:34,639 INFO [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.57600
2024-05-15 09:17:34,979 INFO [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) 6aee532dfb8e-26819: no members discovered after 288 ms: creating cluster as coordinator
2024-05-15 09:17:35,163 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [6aee532dfb8e-26819|0] (1) [6aee532dfb8e-26819]
2024-05-15 09:17:35,599 INFO [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `6aee532dfb8e-26819`, physical addresses are `[192.168.0.202:7600]`
2024-05-15 09:17:35,676 WARN [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-05-15 09:17:43,501 WARN [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
2024-05-15 09:17:43,613 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: 6aee532dfb8e-26819, Site name: null
2024-05-15 09:17:45,321 INFO [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-05-15 09:17:47,728 INFO [io.quarkus] (main) Keycloak 24.0.3 on JVM (powered by Quarkus 3.8.3) started in 22.680s. Listening on: http://0.0.0.0:8180
2024-05-15 09:17:47,729 INFO [io.quarkus] (main) Profile prod activated.
2024-05-15 09:17:47,729 INFO [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]
2024-05-15 09:17:49,826 INFO [org.keycloak.services] (main) KC-SERVICES0009: Added user 'admin' to realm 'master'
2024-05-15 09:18:18,223 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (executor-thread-1) SQL Error: 0, SQLState: 23505
2024-05-15 09:18:18,224 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (executor-thread-1) FEHLER: doppelter Schlüsselwert verletzt Unique-Constraint »uk_b71cjlbenv945rb6gcon438at«
Detail: Schlüssel »(realm_id, client_id)=(ucs, https://ucs-6942.opa.intranet/univention/saml/metadata)« existiert bereits.
Log Output for the error message “Network response was not OK.”
2024-05-15 09:38:56,837 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:39:18,122 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (executor-thread-5) Creating new LDAP Store for the LDAP storage provider: 'ldap-master-admin', LDAP Configuration: {serverPrincipal=[HTTP/ucs-sso-ng.opa.intranet@OPA.INTRANET], fullSyncPeriod=[-1], pagination=[true], startTls=[true], usersDn=[dc=opa,dc=intranet], connectionPooling=[true], cachePolicy=[MAX_LIFESPAN], useKerberosForPasswordAuthentication=[false], importEnabled=[false], enabled=[true], bindDn=[uid=sys-idp-user,cn=users,dc=opa,dc=intranet], usernameLDAPAttribute=[uid], changedSyncPeriod=[-1], vendor=[other], uuidLDAPAttribute=[entryUUID], allowKerberosAuthentication=[true], connectionUrl=[ldap://ucs-6942.opa.intranet:7389], syncRegistrations=[false], authType=[simple], krbPrincipalAttribute=[krb5PrincipalName], customUserSearchFilter=[(|(memberOf=cn=Domain Admins,cn=groups,dc=opa,dc=intranet)(memberOf=cn=DC Backup Hosts,cn=groups,dc=opa,dc=intranet))], debug=[false], searchScope=[2], keyTab=[/var/lib/univention-appcenter/apps/keycloak/conf/keycloak.keytab], useTruststoreSpi=[never], usePasswordModifyExtendedOp=[true], maxLifespan=[300000], kerberosRealm=[OPA.INTRANET], priority=[0], trustEmail=[false], userObjectClasses=[person], rdnLDAPAttribute=[uid], editMode=[READ_ONLY], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
2024-05-15 09:39:18,260 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-5) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:716)
at java.base/javax.security.auth.Subject.doAs(Subject.java:439)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:69)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:883)
at org.keycloak.storage.UserStorageManager.getUserByCredential(UserStorageManager.java:159)
at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByCredential(UserCacheSession.java:554)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:94)
at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:442)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:268)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1051)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:892)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:152)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:337)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.jgss/sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:325)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:168)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:131)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:121)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
... 25 more
2024-05-15 09:39:18,273 WARN [org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (executor-thread-5) Received kerberos token, but there is no user storage provider that handles kerberos credentials.
2024-05-15 09:39:26,903 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-6) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:39:27,394 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:39:27,685 WARN [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ACCOUNT theme 'UCS' due to this.
2024-05-15 09:39:27,698 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Failed to find ACCOUNT theme UCS, using built-in themes
2024-05-15 09:39:27,700 WARN [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ADMIN theme 'UCS' due to this.
2024-05-15 09:39:27,700 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Failed to find ADMIN theme UCS, using built-in themes
2024-05-15 09:39:28,260 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-4) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:40:19,424 INFO [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (executor-thread-11) Creating new LDAP Store for the LDAP storage provider: 'ldap-provider', LDAP Configuration: {serverPrincipal=[HTTP/ucs-sso-ng.opa.intranet@OPA.INTRANET], fullSyncPeriod=[-1], pagination=[true], startTls=[true], connectionPooling=[true], usersDn=[dc=opa,dc=intranet], cachePolicy=[MAX_LIFESPAN], useKerberosForPasswordAuthentication=[false], importEnabled=[false], enabled=[true], usernameLDAPAttribute=[uid], changedSyncPeriod=[-1], bindDn=[uid=sys-idp-user,cn=users,dc=opa,dc=intranet], vendor=[other], uuidLDAPAttribute=[entryUUID], connectionUrl=[ldap://ucs-6942.opa.intranet:7389], allowKerberosAuthentication=[true], syncRegistrations=[false], authType=[simple], krbPrincipalAttribute=[krb5PrincipalName], debug=[false], searchScope=[2], keyTab=[/var/lib/univention-appcenter/apps/keycloak/conf/keycloak.keytab], useTruststoreSpi=[never], maxLifespan=[300000], usePasswordModifyExtendedOp=[true], kerberosRealm=[OPA.INTRANET], priority=[0], trustEmail=[false], userObjectClasses=[person], rdnLDAPAttribute=[uid], editMode=[READ_ONLY], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
2024-05-15 09:40:34,439 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:40:34,890 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:40:35,159 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:40:35,237 WARN [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ACCOUNT theme 'UCS' due to this.
2024-05-15 09:40:35,240 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Failed to find ACCOUNT theme UCS, using built-in themes
2024-05-15 09:40:35,250 WARN [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ADMIN theme 'UCS' due to this.
2024-05-15 09:40:35,252 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Failed to find ADMIN theme UCS, using built-in themes
2024-05-15 09:40:35,441 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-9) Failed to find ADMIN theme keycloak, using built-in themes
The log files show a problem with the database and apparently also with themes.
Question: How can I eliminate these errors?
I have been looking for a solution for a few days, but without success.
Any help would be greatly appreciated.