Unexpected HTTP/1.x request (HTTP/2 mismatch) when enabling Kerberos (SPNEGO)
#45.863 geöffnet am 29. Jan. 2026
Repository-Metriken
- Stars
- (34.398 Stars)
- PR-Merge-Metriken
- (Durchschn. Merge 6T 19h) (384 gemergte PRs in 30 T)
Beschreibung
Before reporting an issue
- I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.
Area
authentication
Describe the bug
Hello,
Environment
Keycloak 26.4.5 : Deployed on kubernetes and Keycloak behind Traefik Browsers: Chrome / Firefox (behavior differs per browser)
Observed behaviour
Enabling Kerberos in the browser authentication flow triggers the issue.
Keycloak log example:
ERROR io.vertx.core.net.impl.ConnectionBase Unexpected HTTP/1.x request: GET /realms/XXXX/account io.netty.handler.codec.http2.Http2Exception: Unexpected HTTP/1.x request: GET /favicon.ico
Workaround tested
QUARKUS_HTTP_HTTP2=false (disable HTTP/2 on Keycloak) — problem disappears.
Version
26.4.5
Regression
- The issue is a regression
Expected behavior
No mismatch protocol
Actual behavior
When I enable Kerberos (SPNEGO) in the browser authentication flow, Keycloak logs an HTTP/2/HTTP1.x protocol mismatch (Vert.x / Netty: "Unexpected HTTP/1.x request"). Setting QUARKUS_HTTP_HTTP2=false on Keycloak removes the issue.
How to Reproduce?
- Ensure Keycloak is reachable only via Traefik.
- Enable Kerberos (SPNEGO) in the browser authentication flow (Account / Browser flow).
- From a browser perform a full login using the Kerberos/SPNEGO flow.
- Trigger the problematic sequence by invoking the flow that uses Negotiate. Observe several 401/Negotiate exchanges between browser and server.
- During/after the Kerberos exchanges, reload the page or request a protected Keycloak resource.
- Observe failures: some requests return 500 and Keycloak logs the Http2Exception "Unexpected HTTP/1.x request".
Anything else?
No response