Datastax with Kerberos - TTransportNegotiationException

Question

I'm getting the follwing two exceptions while connecting to kerberos enabled Datastax from cassandra-cli:-

1. ERROR [Thrift:1] 2013-09-03 11:01:01,025 CustomTThreadPoolServer.java (line 210) Error occurred during processing of message. java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Failure to initialize security context

2. ERROR [Thrift:2] 2013-09-03 11:01:01,061 TNegotiatingServerTransport.java (line 291) An error occurred during transport negotiation com.datastax.bdp.transport.common.TTransportNegotiationException: Improper authentication type requested. Requested auth: No authentication with service principal: FRAMED_TRANSPORT_FAKE_PRINCIPAL, Allowed auth: Kerberos

Answer 1

This problem might be caused by misconfigured Kerberos. Just recently we found that error reporting for kerberos-related problems is misleading sometimes, because the client tries to connect without kerberos if kerberos connection fails in the first place. Unfortunately only the exception from that fallback attempt is being logged instead of the original error. This will be fixed in the next patch release (3.1.4).

Can you try to connect with

cassandra-cli -tr com.datastax.bdp.transport.client.TKerberosClientTransportFactory 

to disable the no-kerberos fallback and look what's the error then? You might also want to look into system.log and check what server is trying to tell you.

Answer 2

The second error indicates that the cassandra-cli connection is not secured:

Requested auth: No authentication with service principal: FRAMED_TRANSPORT_FAKE_PRINCIPAL
Allowed auth: Kerberos

Are you running cassandra-cli from one of the nodes in the secure DSE cluster or from a remote machine outside the cluster?