I decided to take control of my own authN and authZ - might regret it later, but there is a lot of learning to be found when doing things yourself rather than using a service provided by others.

Standard installs are quite easy, but I wanted to use Microsoft SQL Server merely because that's what I am most familiar with. And Keycloak does support it.

However, I followed the official documentation and still it would not work and I would get errors around connection timeouts for some strange reason.

After a lot of googling with bing and binging google, I found that there was some extra configuration needed to support XA which Keycloak expects.

Configuring support for XA (eXtended Architecture)

Normally, you just care about the 1433 port, but for this to work you need to add some extra ports:

docker run \
   -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=<YourStrong!Passw0rd>' \
   -e 'MSSQL_RPC_PORT=135' -e 'MSSQL_DTC_TCP_PORT=51000' \
   -p 1433:1433 -p 135:135 -p 51000:51000  \
   -d mcr.microsoft.com/mssql/server:2019-latest

Once the SQL server is running, log on using your favourite tool and issue the following command to install support for XA:

EXEC sp_sqljdbc_xa_install

Creating the Keycloak database

We now need to create the Keycloak database and add the database user with a XA role.

create database keycloak;
create login keycloak with password = 'lol!Iusepasswords';
 use master;
 sp_grantdbaccess 'keycloak', 'keycloak';
 EXEC sp_addrolemember [SqlJDBCXAUser], 'keycloak'
use keycloak
create user keycloak for login keycloak
EXEC sp_addrolemember N'db_owner', N'keycloak'

Launching Keycloak in production mode

If you dont have access to localhost then you need to specify the following environment variables to enable an admin account when you start Keycloak:

export KEYCLOAK_ADMIN=admin
export KEYCLOAK_ADMIN_PASSWORD=omg..passwords..
/opt/keycloak/bin/kc.sh start --hostname=<hostname> --proxy edge --db-url-host <db_server> --db-username keycloak --db-password <db_password>