diff --git a/broker/kerberos/src/main/java/org/keycloak/broker/kerberos/KerberosIdentityProvider.java b/broker/kerberos/src/main/java/org/keycloak/broker/kerberos/KerberosIdentityProvider.java
index 56b30fd..84ceb22 100644
--- a/broker/kerberos/src/main/java/org/keycloak/broker/kerberos/KerberosIdentityProvider.java
+++ b/broker/kerberos/src/main/java/org/keycloak/broker/kerberos/KerberosIdentityProvider.java
@@ -103,15 +103,23 @@ public class KerberosIdentityProvider extends AbstractIdentityProvider<KerberosI
logger.trace("Sending back " + HttpHeaders.WWW_AUTHENTICATE + ": " + negotiateHeader);
}
- // Error page is rendered just if browser is unable to send Authorization header with SPNEGO token
- Response response = request.getSession().getProvider(LoginFormsProvider.class)
+ Response response;
+ LoginFormsProvider loginFormsProvider = request.getSession().getProvider(LoginFormsProvider.class)
.setRealm(request.getRealm())
.setUriInfo(request.getUriInfo())
- .setClient(request.getClientSession().getClient())
- .setClientSessionCode(getRelayState(request))
- .setWarning("errorKerberosLogin")
- .setStatus(Response.Status.UNAUTHORIZED)
- .createLogin();
+ .setStatus(Response.Status.UNAUTHORIZED);
+
+ if (request.getClientSession().getUserSession() == null) {
+ // User not logged. Display HTML with login form as fallback if SPNEGO token not found
+ response = loginFormsProvider.setClient(request.getClientSession().getClient())
+ .setClientSessionCode(getRelayState(request))
+ .setWarning("errorKerberosLogin")
+ .createLogin();
+ } else {
+ // User logged and linking account. Display HTML with error if SPNEGO token not found
+ response = loginFormsProvider.setError("errorKerberosLinkAccount")
+ .createErrorPage();
+ }
response.getMetadata().putSingle(HttpHeaders.WWW_AUTHENTICATE, negotiateHeader);
return AuthenticationResponse.fromResponse(response);
diff --git a/forms/common-themes/src/main/resources/theme/login/base/messages/messages.properties b/forms/common-themes/src/main/resources/theme/login/base/messages/messages.properties
index 3819d67..ad76cf2 100755
--- a/forms/common-themes/src/main/resources/theme/login/base/messages/messages.properties
+++ b/forms/common-themes/src/main/resources/theme/login/base/messages/messages.properties
@@ -98,7 +98,8 @@ actionPasswordWarning=You need to change your password to activate your account.
actionEmailWarning=You need to verify your email address to activate your account.
actionFollow=Please fill in the fields below.
-errorKerberosLogin=Unable to login with Kerberos. Request Kerberos ticket or use different login mechanism
+errorKerberosLogin=Kerberos ticket not available. Use different login mechanism
+errorKerberosLinkAccount=Kerberos ticket not available.
successHeader=Success!
errorHeader=Error!
