From a4f6134ba3cab4a4778c21e31b55ad819f1df3ce Mon Sep 17 00:00:00 2001
From: Tomohiro Nagai <n1330@me.com>
Date: Thu, 10 Mar 2022 00:41:29 +0900
Subject: [PATCH] Support kerberos IllegalArgumentException closes #10672

---
 .../impl/KerberosUsernamePasswordAuthenticator.java      | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java b/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java
index e210be896f8..38d28e8e835 100644
--- a/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java
+++ b/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java
@@ -70,6 +70,7 @@ public class KerberosUsernamePasswordAuthenticator {
             logger.debugf("Message from kerberos: %s", message);
 
             checkKerberosServerAvailable(le);
+            checkKerberosUsername(le);
 
             // Bit cumbersome, but seems to work with tested kerberos servers
             boolean exists = (!message.contains("Client not found"));
@@ -92,6 +93,7 @@ public class KerberosUsernamePasswordAuthenticator {
             return true;
         } catch (LoginException le) {
             checkKerberosServerAvailable(le);
+            checkKerberosUsername(le);
 
             logger.debug("Failed to authenticate user " + username, le);
             return false;
@@ -110,6 +112,13 @@ public class KerberosUsernamePasswordAuthenticator {
         }
     }
 
+    protected void checkKerberosUsername(LoginException le) {
+        String message = le.getMessage();
+        if (message.contains("IllegalArgumentException")) {
+            throw new ModelException("Kerberos illegal username", le);
+        }
+    }
+
 
     /**
      * Returns true if user was successfully authenticated against Kerberos