Avoid NPE when checking exceptions for password based Kerberos login

Closes #36061

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>

federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java

@@ -102,21 +102,28 @@ public class KerberosUsernamePasswordAuthenticator {
     }
 
     protected void checkKerberosServerAvailable(LoginException le) {
-        String message = le.getMessage().toUpperCase();
+        if (le.getMessage() != null) {
-        if (message.contains("PORT UNREACHABLE") ||
+            String message = le.getMessage().toUpperCase();
-            message.contains("CANNOT LOCATE") ||
+            if (message.contains("PORT UNREACHABLE") ||
-            message.contains("CANNOT CONTACT") ||
+                message.contains("CANNOT LOCATE") ||
-            message.contains("CANNOT FIND") ||
+                message.contains("CANNOT CONTACT") ||
-            message.contains("UNKNOWN ERROR") ||
+                message.contains("CANNOT FIND") ||
-            message.contains("RECEIVE TIMED OUT")) {
+                message.contains("UNKNOWN ERROR") ||
+                message.contains("RECEIVE TIMED OUT")) {
+                throw new ModelException("Kerberos unreachable", le);
+            }
+        } else if (le.getCause() instanceof IOException) {
+            // for example, a PortUnreachable exception if the server is not running
             throw new ModelException("Kerberos unreachable", le);
         }
     }
 
     protected void checkKerberosUsername(LoginException le) {
-        String message = le.getMessage();
+        if (le.getMessage() != null) {
-        if (message.contains("IllegalArgumentException")) {
+            String message = le.getMessage();
-            throw new ModelException("Kerberos illegal username", le);
+            if (message.contains("IllegalArgumentException")) {
+                throw new ModelException("Kerberos illegal username", le);
+            }
         }
     }