Problems with Keycloak; among other things: Network response was not OK

Raymund · May 15, 2024, 9:21am

Initial situation:
3 UCS test servers in a local network.

1.) ucs-6942: one Primary Directory Node with the apps:

Active Directory-kompatibler Domaincontroller
Admin Diary Backend
Admin Diary Frontend
OnlyOffice Docs
Self Service
Self Service Backend
PostgreSQL 11.22

2.) papa: a managed node with the apps:

Let’s Encrypt
Nextcloud Hub
OnlyOffice Docs
OpenProject
PostgreSQL 11.2

3.) mail: a backup directory node

Fetchmail
Mailserver
Ox App Suite
OX Connector
PostgreSQL 11.2

The lokale domain: opa.intranet
Software: UCS Version 5.0-6 errata982

Reproducing the error

install Keycloak version 24.0.3-ucs1
start this app (log in with administrator account of the UCS); the URL: https://ucs-sso-ng.opa.intranet/admin/master/console/
switch from realm “Master” to “UCS”
select “Clients” in the left column
select e.g. the client ID “account”
select the “Client scopes” tab in the “Client details” window
the following error message appears: “Network response was not OK.” (see image)

Install_Keycloak_Fehlermeldung_Nr3

There is no further information on the displayed problem in the Keycloak GUI.
Switch the realm back to “Master”; then you can repeat the above error as often as you like.

Output of the diffent log files
docker logs keycloak:


root@ucs-6942:/var/lib/univention-appcenter/apps/keycloak# docker logs keycloak
Changes detected in configuration. Updating the server image.
Updating the configuration and installing your custom providers, if any. Please wait.
2024-05-15 07:14:44,543 WARN  [org.key.qua.run.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
        - proxy: Use proxy-headers.
Consult the Release Notes for details.
2024-05-15 07:15:00,247 WARN  [org.key.services] (build-49) KC-SERVICES0047: univention-saml-user-attribute-nameid-mapper-base64 (de.univention.keycloak.UniventionUserAttributeNameIdMapperBase64) is implementing the internal SPI protocol-mapper. This SPI is internal and may change without notice
2024-05-15 07:15:00,252 WARN  [org.key.services] (build-49) KC-SERVICES0047: freemarker (de.univention.keycloak.UniventionFreeMarkerLoginFormsProviderFactory) is implementing the internal SPI login. This SPI is internal and may change without notice
2024-05-15 07:15:00,553 WARN  [org.key.services] (build-49) KC-SERVICES0047: univention-app-authenticator (de.univention.keycloak.UniventionAppAuthenticatorFactory) is implementing the internal SPI authenticator. This SPI is internal and may change without notice
2024-05-15 07:15:01,277 WARN  [org.key.services] (build-49) KC-SERVICES0047: UNIVENTION_UPDATE_PASSWORD (de.univention.keycloak.UniventionUpdatePasswordFactory) is implementing the internal SPI required-action. This SPI is internal and may change without notice
2024-05-15 07:15:01,277 WARN  [org.key.services] (build-49) KC-SERVICES0047: UNIVENTION_SELF_SERVICE (de.univention.keycloak.UniventionSelfServiceFactory) is implementing the internal SPI required-action. This SPI is internal and may change without notice
2024-05-15 07:15:01,455 WARN  [org.key.services] (build-49) KC-SERVICES0047: univention-ldap-mapper (de.univention.keycloak.UniventionUserAccountControlStorageMapperFactory) is implementing the internal SPI ldap-mapper. This SPI is internal and may change without notice
2024-05-15 07:15:06,654 WARN  [io.qua.arc.dep.SplitPackageProcessor] (build-39) Detected a split package usage which is considered a bad practice and should be avoided. Following packages were detected in multiple archives:
- "de.univention.keycloak" found in [/opt/keycloak/lib/../providers/univention-app-authenticator-1.0.jar, /opt/keycloak/lib/../providers/univention-ldap-mapper-1.0.jar, /opt/keycloak/lib/../providers/univention-user-attribute-nameid-mapper-base64-1.0.jar]
2024-05-15 07:15:52,752 INFO  [io.qua.dep.QuarkusAugmentor] (main) Quarkus augmentation completed in 61903ms
Server configuration updated and persisted. Run the following command to review the configuration:

        kc.sh show-config

Next time you run the server, just run:

        kc.sh start --hostname=ucs-sso-ng.opa.intranet --http-enabled=true --proxy=edge --optimized

2024-05-15 09:16:02,003 WARN  [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
        - proxy: Use proxy-headers.
Consult the Release Notes for details.
2024-05-15 09:16:10,449 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-05-15 09:16:13,146 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: ucs-sso-ng.opa.intranet, Strict HTTPS: true, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-05-15 09:16:15,792 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `jdbc-ping-tcp`
2024-05-15 09:16:15,797 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 890fc406-44ce-49ec-bf8c-76ab5f794df1, name: 6aee532dfb8e-227
2024-05-15 09:16:15,969 INFO  [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.57600
2024-05-15 09:16:16,693 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) 6aee532dfb8e-227: no members discovered after 676 ms: creating cluster as coordinator
2024-05-15 09:16:17,291 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [6aee532dfb8e-227|0] (1) [6aee532dfb8e-227]
2024-05-15 09:16:17,879 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `6aee532dfb8e-227`, physical addresses are `[192.168.0.202:7600]`
2024-05-15 09:16:18,078 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-05-15 09:16:31,333 WARN  [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
2024-05-15 09:16:31,520 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: 6aee532dfb8e-227, Site name: null
2024-05-15 09:16:38,013 INFO  [org.keycloak.quarkus.runtime.storage.legacy.liquibase.QuarkusJpaUpdaterProvider] (main) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml

UPDATE SUMMARY
Run:                        124
Previously run:               0
Filtered out:                 0
-------------------------------
Total change sets:          124

2024-05-15 09:17:00,029 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-05-15 09:17:00,356 INFO  [org.keycloak.services] (main) KC-SERVICES0050: Initializing master realm
2024-05-15 09:17:17,515 INFO  [io.quarkus] (main) Keycloak 24.0.3 on JVM (powered by Quarkus 3.8.3) started in 83.348s. Listening on: http://0.0.0.0:8180
2024-05-15 09:17:17,526 INFO  [io.quarkus] (main) Profile prod activated.
2024-05-15 09:17:17,526 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]
2024-05-15 09:17:20,395 INFO  [org.infinispan.CLUSTER] (Thread-9) ISPN000080: Disconnecting JGroups channel `ISPN`
2024-05-15 09:17:20,616 WARN  [com.arjuna.ats.jta] (main) ARJUNA016045: attempted rollback of < formatId=131077, gtrid_length=35, bqual_length=36, tx_uid=0:ffffac100102:aa03:66446169:19, node_name=quarkus, branch_uid=0:ffffac100102:aa03:66446169:1c, subordinatenodename=null, eis_name=0 > (io.agroal.narayana.LocalXAResource@4ea0ec5e) failed with exception code XAException.XAER_RMERR: javax.transaction.xa.XAException: Error trying to transactionRollback local transaction: This connection has been closed.
        at io.agroal.narayana.XAExceptionUtils.xaException(XAExceptionUtils.java:20)
        at io.agroal.narayana.XAExceptionUtils.xaException(XAExceptionUtils.java:8)
        at io.agroal.narayana.LocalXAResource.rollback(LocalXAResource.java:89)
        at com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelAbort(XAResourceRecord.java:338)
        at com.arjuna.ats.arjuna.coordinator.BasicAction.doAbort(BasicAction.java:3112)
     
	 ....
	 
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:62)
        at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:33)
Caused by: org.postgresql.util.PSQLException: This connection has been closed.
        at org.postgresql.jdbc.PgConnection.checkClosed(PgConnection.java:1009)
        at org.postgresql.jdbc.PgConnection.rollback(PgConnection.java:1016)
        at io.agroal.pool.ConnectionHandler.transactionRollback(ConnectionHandler.java:354)
        at io.agroal.narayana.LocalXAResource.rollback(LocalXAResource.java:86)
        ... 39 more

2024-05-15 09:17:20,639 WARN  [io.agroal.pool] (main) Datasource '<default>': This connection has been closed.
2024-05-15 09:17:20,646 ERROR [org.keycloak.services] (main) KC-SERVICES0011: Failed to add user 'admin' to realm 'master' [Error Occurred After Shutdown]: org.keycloak.models.ModelException: org.hibernate.query.sqm.InterpretationException: Error interpreting query [Cannot invoke "org.hibernate.jpa.spi.JpaCompliance.isJpaQueryComplianceEnabled()" because "this.jpaCompliance" is null] [select count(u) from UserEntity u where u.realmId = :realmId and (u.serviceAccountClientLink is null)] [select count(u) from UserEntity u where u.realmId = :realmId and (u.serviceAccountClientLink is null)]
        at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:99)
        at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:64)

...
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:62)
        at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:33)
Caused by: org.hibernate.query.sqm.InterpretationException: Error interpreting query [Cannot invoke "org.hibernate.jpa.spi.JpaCompliance.isJpaQueryComplianceEnabled()" because "this.jpaCompliance" is null] [select count(u) from UserEntity u where u.realmId = :realmId and (u.serviceAccountClientLink is null)] [select count(u) from UserEntity u where u.realmId = :realmId and (u.serviceAccountClientLink is null)]
        at org.hibernate.query.hql.internal.StandardHqlTranslator.translate(StandardHqlTranslator.java:94)
        at org.hibernate.query.sqm.internal.QuerySqmImpl.lambda$new$0(QuerySqmImpl.java:173)
        at org.hibernate.query.internal.QueryInterpretationCacheStandardImpl$1.translate(QueryInterpretationCacheStandardImpl.java:111)
        at org.hibernate.query.internal.QueryInterpretationCacheStandardImpl.createHqlInterpretation(QueryInterpretationCacheStandardImpl.java:165)
        at org.hibernate.query.internal.QueryInterpretationCacheStandardImpl.resolveHqlInterpretation(QueryInterpretationCacheStandardImpl.java:147)
        at org.hibernate.query.internal.QueryInterpretationCacheStandardImpl.resolveHqlInterpretation(QueryInterpretationCacheStandardImpl.java:107)
        at org.hibernate.query.sqm.internal.QuerySqmImpl.<init>(QuerySqmImpl.java:170)
        at org.hibernate.query.hql.internal.NamedHqlQueryMementoImpl.toQuery(NamedHqlQueryMementoImpl.java:154)
        at org.hibernate.internal.AbstractSharedSessionContract.createSqmQueryImplementor(AbstractSharedSessionContract.java:1121)
        at org.hibernate.internal.AbstractSharedSessionContract.lambda$buildNamedQuery$6(AbstractSharedSessionContract.java:1091)
        at org.hibernate.internal.AbstractSharedSessionContract.buildNamedQuery(AbstractSharedSessionContract.java:1075)
        at org.hibernate.internal.AbstractSharedSessionContract.buildNamedQuery(AbstractSharedSessionContract.java:1089)
        at org.hibernate.internal.AbstractSharedSessionContract.createNamedQuery(AbstractSharedSessionContract.java:975)
        at org.hibernate.internal.SessionImpl.createNamedQuery(SessionImpl.java:198)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:62)
        ... 33 more
Caused by: java.lang.NullPointerException: Cannot invoke "org.hibernate.jpa.spi.JpaCompliance.isJpaQueryComplianceEnabled()" because "this.jpaCompliance" is null
        at org.hibernate.query.hql.internal.SqmPathRegistryImpl.register(SqmPathRegistryImpl.java:76)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitRootEntity(SemanticQueryBuilder.java:1966)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitRootEntity(SemanticQueryBuilder.java:269)
        at org.hibernate.grammars.hql.HqlParser$RootEntityContext.accept(HqlParser.java:2549)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitEntityWithJoins(SemanticQueryBuilder.java:1914)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitFromClause(SemanticQueryBuilder.java:1901)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitQuery(SemanticQueryBuilder.java:1148)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitQuerySpecExpression(SemanticQueryBuilder.java:941)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitQuerySpecExpression(SemanticQueryBuilder.java:269)
        at org.hibernate.grammars.hql.HqlParser$QuerySpecExpressionContext.accept(HqlParser.java:1869)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitSimpleQueryGroup(SemanticQueryBuilder.java:926)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitSimpleQueryGroup(SemanticQueryBuilder.java:269)
        at org.hibernate.grammars.hql.HqlParser$SimpleQueryGroupContext.accept(HqlParser.java:1740)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitSelectStatement(SemanticQueryBuilder.java:443)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.visitStatement(SemanticQueryBuilder.java:402)
        at org.hibernate.query.hql.internal.SemanticQueryBuilder.buildSemanticModel(SemanticQueryBuilder.java:311)
        at org.hibernate.query.hql.internal.StandardHqlTranslator.translate(StandardHqlTranslator.java:71)
        ... 51 more

2024-05-15 09:17:20,657 INFO  [io.quarkus] (Shutdown thread) Keycloak stopped in 0.510s
2024-05-15 09:17:27,736 WARN  [org.keycloak.quarkus.runtime.cli.Picocli] (main) The following used options or option values are DEPRECATED and will be removed in a future release:
        - proxy: Use proxy-headers.
Consult the Release Notes for details.
2024-05-15 09:17:31,975 INFO  [org.infinispan.CONTAINER] (keycloak-cache-init) ISPN000556: Starting user marshaller 'org.infinispan.jboss.marshalling.core.JBossUserMarshaller'
2024-05-15 09:17:33,427 INFO  [org.keycloak.quarkus.runtime.hostname.DefaultHostnameProvider] (main) Hostname settings: Base URL: <unset>, Hostname: ucs-sso-ng.opa.intranet, Strict HTTPS: true, Path: <request>, Strict BackChannel: false, Admin URL: <unset>, Admin: <request>, Port: -1, Proxied: true
2024-05-15 09:17:34,554 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000078: Starting JGroups channel `ISPN` with stack `jdbc-ping-tcp`
2024-05-15 09:17:34,582 INFO  [org.jgroups.JChannel] (keycloak-cache-init) local_addr: 5f00d836-8a07-4b84-9a0a-66905465758a, name: 6aee532dfb8e-26819
2024-05-15 09:17:34,639 INFO  [org.jgroups.protocols.FD_SOCK2] (keycloak-cache-init) server listening on *.57600
2024-05-15 09:17:34,979 INFO  [org.jgroups.protocols.pbcast.GMS] (keycloak-cache-init) 6aee532dfb8e-26819: no members discovered after 288 ms: creating cluster as coordinator
2024-05-15 09:17:35,163 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000094: Received new cluster view for channel ISPN: [6aee532dfb8e-26819|0] (1) [6aee532dfb8e-26819]
2024-05-15 09:17:35,599 INFO  [org.infinispan.CLUSTER] (keycloak-cache-init) ISPN000079: Channel `ISPN` local address is `6aee532dfb8e-26819`, physical addresses are `[192.168.0.202:7600]`
2024-05-15 09:17:35,676 WARN  [org.infinispan.CONFIG] (keycloak-cache-init) ISPN000569: Unable to persist Infinispan internal caches as no global state enabled
2024-05-15 09:17:43,501 WARN  [io.quarkus.vertx.http.runtime.VertxHttpRecorder] (main) The X-Forwarded-* and Forwarded headers will be considered when determining the proxy address. This configuration can cause a security issue as clients can forge requests and send a forwarded header that is not overwritten by the proxy. Please consider use one of these headers just to forward the proxy address in requests.
2024-05-15 09:17:43,613 INFO  [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (main) Node name: 6aee532dfb8e-26819, Site name: null
2024-05-15 09:17:45,321 INFO  [org.keycloak.broker.provider.AbstractIdentityProviderMapper] (main) Registering class org.keycloak.broker.provider.mappersync.ConfigSyncEventListener
2024-05-15 09:17:47,728 INFO  [io.quarkus] (main) Keycloak 24.0.3 on JVM (powered by Quarkus 3.8.3) started in 22.680s. Listening on: http://0.0.0.0:8180
2024-05-15 09:17:47,729 INFO  [io.quarkus] (main) Profile prod activated.
2024-05-15 09:17:47,729 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]
2024-05-15 09:17:49,826 INFO  [org.keycloak.services] (main) KC-SERVICES0009: Added user 'admin' to realm 'master'
2024-05-15 09:18:18,223 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (executor-thread-1) SQL Error: 0, SQLState: 23505
2024-05-15 09:18:18,224 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (executor-thread-1) FEHLER: doppelter Schlüsselwert verletzt Unique-Constraint »uk_b71cjlbenv945rb6gcon438at«
  Detail: Schlüssel »(realm_id, client_id)=(ucs, https://ucs-6942.opa.intranet/univention/saml/metadata)« existiert bereits.

Log Output for the error message “Network response was not OK.”

2024-05-15 09:38:56,837 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:39:18,122 INFO  [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (executor-thread-5) Creating new LDAP Store for the LDAP storage provider: 'ldap-master-admin', LDAP Configuration: {serverPrincipal=[HTTP/ucs-sso-ng.opa.intranet@OPA.INTRANET], fullSyncPeriod=[-1], pagination=[true], startTls=[true], usersDn=[dc=opa,dc=intranet], connectionPooling=[true], cachePolicy=[MAX_LIFESPAN], useKerberosForPasswordAuthentication=[false], importEnabled=[false], enabled=[true], bindDn=[uid=sys-idp-user,cn=users,dc=opa,dc=intranet], usernameLDAPAttribute=[uid], changedSyncPeriod=[-1], vendor=[other], uuidLDAPAttribute=[entryUUID], allowKerberosAuthentication=[true], connectionUrl=[ldap://ucs-6942.opa.intranet:7389], syncRegistrations=[false], authType=[simple], krbPrincipalAttribute=[krb5PrincipalName], customUserSearchFilter=[(|(memberOf=cn=Domain Admins,cn=groups,dc=opa,dc=intranet)(memberOf=cn=DC Backup Hosts,cn=groups,dc=opa,dc=intranet))], debug=[false], searchScope=[2], keyTab=[/var/lib/univention-appcenter/apps/keycloak/conf/keycloak.keytab], useTruststoreSpi=[never], usePasswordModifyExtendedOp=[true], maxLifespan=[300000], kerberosRealm=[OPA.INTRANET], priority=[0], trustEmail=[false], userObjectClasses=[person], rdnLDAPAttribute=[uid], editMode=[READ_ONLY], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
2024-05-15 09:39:18,260 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-5) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:716)
        at java.base/javax.security.auth.Subject.doAs(Subject.java:439)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:69)
        at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:883)
        at org.keycloak.storage.UserStorageManager.getUserByCredential(UserStorageManager.java:159)
        at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByCredential(UserCacheSession.java:554)
        at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:94)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:442)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:268)
        at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1051)
        at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:892)
        at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:152)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:337)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
        at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
        at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
        at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
        at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at java.security.jgss/sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:325)
        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:168)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:131)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:121)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
        ... 25 more

2024-05-15 09:39:18,273 WARN  [org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (executor-thread-5) Received kerberos token, but there is no user storage provider that handles kerberos credentials.
2024-05-15 09:39:26,903 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-6) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:39:27,394 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:39:27,685 WARN  [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ACCOUNT theme 'UCS' due to this.
2024-05-15 09:39:27,698 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Failed to find ACCOUNT theme UCS, using built-in themes
2024-05-15 09:39:27,700 WARN  [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ADMIN theme 'UCS' due to this.
2024-05-15 09:39:27,700 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-2) Failed to find ADMIN theme UCS, using built-in themes
2024-05-15 09:39:28,260 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-4) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:40:19,424 INFO  [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (executor-thread-11) Creating new LDAP Store for the LDAP storage provider: 'ldap-provider', LDAP Configuration: {serverPrincipal=[HTTP/ucs-sso-ng.opa.intranet@OPA.INTRANET], fullSyncPeriod=[-1], pagination=[true], startTls=[true], connectionPooling=[true], usersDn=[dc=opa,dc=intranet], cachePolicy=[MAX_LIFESPAN], useKerberosForPasswordAuthentication=[false], importEnabled=[false], enabled=[true], usernameLDAPAttribute=[uid], changedSyncPeriod=[-1], bindDn=[uid=sys-idp-user,cn=users,dc=opa,dc=intranet], vendor=[other], uuidLDAPAttribute=[entryUUID], connectionUrl=[ldap://ucs-6942.opa.intranet:7389], allowKerberosAuthentication=[true], syncRegistrations=[false], authType=[simple], krbPrincipalAttribute=[krb5PrincipalName], debug=[false], searchScope=[2], keyTab=[/var/lib/univention-appcenter/apps/keycloak/conf/keycloak.keytab], useTruststoreSpi=[never], maxLifespan=[300000], usePasswordModifyExtendedOp=[true], kerberosRealm=[OPA.INTRANET], priority=[0], trustEmail=[false], userObjectClasses=[person], rdnLDAPAttribute=[uid], editMode=[READ_ONLY], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
2024-05-15 09:40:34,439 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:40:34,890 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:40:35,159 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Failed to find ADMIN theme keycloak, using built-in themes
2024-05-15 09:40:35,237 WARN  [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ACCOUNT theme 'UCS' due to this.
2024-05-15 09:40:35,240 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Failed to find ACCOUNT theme UCS, using built-in themes
2024-05-15 09:40:35,250 WARN  [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ADMIN theme 'UCS' due to this.
2024-05-15 09:40:35,252 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-11) Failed to find ADMIN theme UCS, using built-in themes
2024-05-15 09:40:35,441 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-9) Failed to find ADMIN theme keycloak, using built-in themes

The log files show a problem with the database and apparently also with themes.
Question: How can I eliminate these errors?

I have been looking for a solution for a few days, but without success.
Any help would be greatly appreciated.

Raymund · June 13, 2024, 8:39am

Hallo.
I can reproduce the above mentioned problem in an easier way

In a local area:

Install one UCS-Server with a VirtualBox-Image (UCS 5.0-4)
Do all updates until UCS 5.0-6, include package updates (errata 1056)
Install the App Keycloak (only this one App)
Start Keycloak and change from realm master to realm ucs
Select in left vertical menu “Clients”
Select on the right side the client ID “account”
Select the Tab “Clients scopes”
Look at the log-file from keycloak with “docker logs keycloak”

Extract from the log file:

....
2024-06-12 16:20:04,811 INFO  [io.quarkus] (main) Keycloak 24.0.3 on JVM (powered by Quarkus 3.8.3) started in 8.100s. Listening on: http://0.0.0.0:8180
2024-06-12 16:20:04,812 INFO  [io.quarkus] (main) Profile prod activated.
2024-06-12 16:20:04,812 INFO  [io.quarkus] (main) Installed features: [agroal, cdi, hibernate-orm, jdbc-postgresql, keycloak, logging-gelf, micrometer, narayana-jta, reactive-routes, resteasy-reactive, resteasy-reactive-jackson, smallrye-context-propagation, smallrye-health, vertx]
2024-06-12 16:20:23,424 WARN  [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (executor-thread-1) SQL Error: 0, SQLState: 23505
2024-06-12 16:20:23,424 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (executor-thread-1) FEHLER: doppelter Schlüsselwert verletzt Unique-Constraint »uk_b71cjlbenv945rb6gcon438at«
  Detail: Schlüssel »(realm_id, client_id)=(ucs, https://ucs-2700.opa.intranet/univention/saml/metadata)« existiert bereits.
2024-06-12 16:28:03,670 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-1) Failed to find ADMIN theme keycloak, using built-in themes
2024-06-12 16:28:04,279 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-1) Failed to find ADMIN theme keycloak, using built-in themes
2024-06-12 16:28:06,712 INFO  [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (executor-thread-1) Creating new LDAP Store for the LDAP storage provider: 'ldap-master-admin', LDAP Configuration: {serverPrincipal=[HTTP/ucs-sso-ng.opa.intranet@OPA.INTRANET], fullSyncPeriod=[-1], pagination=[true], startTls=[true], connectionPooling=[true], usersDn=[dc=opa,dc=intranet], cachePolicy=[MAX_LIFESPAN], useKerberosForPasswordAuthentication=[false], importEnabled=[false], enabled=[true], bindDn=[uid=sys-idp-user,cn=users,dc=opa,dc=intranet], usernameLDAPAttribute=[uid], changedSyncPeriod=[-1], vendor=[other], uuidLDAPAttribute=[entryUUID], connectionUrl=[ldap://ucs-2700.opa.intranet:7389], allowKerberosAuthentication=[true], syncRegistrations=[false], authType=[simple], krbPrincipalAttribute=[krb5PrincipalName], customUserSearchFilter=[(|(memberOf=cn=Domain Admins,cn=groups,dc=opa,dc=intranet)(memberOf=cn=DC Backup Hosts,cn=groups,dc=opa,dc=intranet))], debug=[false], searchScope=[2], keyTab=[/var/lib/univention-appcenter/apps/keycloak/conf/keycloak.keytab], useTruststoreSpi=[never], usePasswordModifyExtendedOp=[true], maxLifespan=[300000], priority=[0], trustEmail=[false], kerberosRealm=[OPA.INTRANET], userObjectClasses=[person], rdnLDAPAttribute=[uid], editMode=[READ_ONLY], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
2024-06-12 16:28:06,738 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-1) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:716)
        at java.base/javax.security.auth.Subject.doAs(Subject.java:439)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:69)
        at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:883)
        at org.keycloak.storage.UserStorageManager.getUserByCredential(UserStorageManager.java:159)
        at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByCredential(UserCacheSession.java:554)
        at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:94)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:442)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:268)
        at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1051)
        at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:892)
        at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:152)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:337)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
        at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
        at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
        at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
        at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at java.security.jgss/sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:325)
        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:168)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:131)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:121)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
        ... 25 more
2024-06-12 16:28:06,740 WARN  [org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (executor-thread-1) Received kerberos token, but there is no user storage provider that handles kerberos credentials.
2024-06-12 16:28:10,227 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-5) Failed to find ADMIN theme keycloak, using built-in themes
2024-06-12 16:28:10,543 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-5) Failed to find ADMIN theme keycloak, using built-in themes
2024-06-12 16:28:10,641 WARN  [org.keycloak.theme.DefaultThemeManager] (executor-thread-5) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ACCOUNT theme 'UCS' due to this.
2024-06-12 16:28:10,641 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-5) Failed to find ACCOUNT theme UCS, using built-in themes
2024-06-12 16:28:10,642 WARN  [org.keycloak.theme.DefaultThemeManager] (executor-thread-5) Not found parent theme 'keycloak' of theme 'UCS'. Unable to load ADMIN theme 'UCS' due to this.
2024-06-12 16:28:10,643 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-5) Failed to find ADMIN theme UCS, using built-in themes
2024-06-12 16:28:38,269 WARN  [org.hibernate.sql.results.jdbc.internal.DeferredResultSetAccess] (executor-thread-5) HHH000444: Encountered request for locking however dialect reports that database prefers locking be done in a separate select (follow-on locking); results will be locked after initial query executes
2024-06-12 16:28:38,333 INFO  [org.keycloak.storage.ldap.LDAPIdentityStoreRegistry] (executor-thread-5) Creating new LDAP Store for the LDAP storage provider: 'ldap-provider', LDAP Configuration: {serverPrincipal=[HTTP/ucs-sso-ng.opa.intranet@OPA.INTRANET], pagination=[true], fullSyncPeriod=[-1], startTls=[true], connectionPooling=[true], usersDn=[dc=opa,dc=intranet], cachePolicy=[MAX_LIFESPAN], useKerberosForPasswordAuthentication=[false], importEnabled=[false], enabled=[true], bindDn=[uid=sys-idp-user,cn=users,dc=opa,dc=intranet], changedSyncPeriod=[-1], usernameLDAPAttribute=[uid], vendor=[other], uuidLDAPAttribute=[entryUUID], allowKerberosAuthentication=[true], connectionUrl=[ldap://ucs-2700.opa.intranet:7389], syncRegistrations=[false], authType=[simple], krbPrincipalAttribute=[krb5PrincipalName], debug=[false], searchScope=[2], keyTab=[/var/lib/univention-appcenter/apps/keycloak/conf/keycloak.keytab], useTruststoreSpi=[never], usePasswordModifyExtendedOp=[true], maxLifespan=[300000], trustEmail=[false], kerberosRealm=[OPA.INTRANET], priority=[0], userObjectClasses=[person], rdnLDAPAttribute=[uid], editMode=[READ_ONLY], validatePasswordPolicy=[false], batchSizeForSync=[1000]}, binaryAttributes: []
2024-06-12 16:28:52,833 ERROR [org.keycloak.theme.DefaultThemeManager] (executor-thread-5) Failed to find ADMIN theme keycloak, using built-in themes
2024-06-12 16:28:53,071 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (executor-thread-5) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:716)
        at java.base/javax.security.auth.Subject.doAs(Subject.java:439)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:69)
        at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:883)
        at org.keycloak.storage.UserStorageManager.getUserByCredential(UserStorageManager.java:159)
        at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByCredential(UserCacheSession.java:554)
        at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:94)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processSingleFlowExecutionModel(DefaultAuthenticationFlow.java:442)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:268)
        at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:1051)
        at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:892)
        at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:152)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:337)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.process(AuthorizationEndpoint.java:202)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildGet(AuthorizationEndpoint.java:113)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint$quarkusrestinvoker$buildGet_4b690b27439f19dd29733dc5fd4004f24de0adb6.invoke(Unknown Source)
        at org.jboss.resteasy.reactive.server.handlers.InvocationHandler.handle(InvocationHandler.java:29)
        at io.quarkus.resteasy.reactive.server.runtime.QuarkusResteasyReactiveRequestContext.invokeHandler(QuarkusResteasyReactiveRequestContext.java:141)
        at org.jboss.resteasy.reactive.common.core.AbstractResteasyReactiveContext.run(AbstractResteasyReactiveContext.java:147)
        at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538)
        at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
        at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at java.security.jgss/sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:325)
        at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:168)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:131)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:121)
        at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
        ... 25 more
....

The error messages appear again:

SQL Error: 0, SQLState: 23505
…
FEHLER: doppelter Schlüsselwert verletzt Unique-Constraint
…
PrivilegedActionException: GSSException

In my mind it looks like a problem in the interaction from UCS and Keycloak!?
This error message should also appear for others, shouldn’t it?
Does anyone know a solution to this problem?