Reputation: 568
HDFS WebUI Kerberos Authentication failed by credential can't be found from IE
I setup my HDFS service with kerberos authenticaiton, that's the configuration:
<property>
<name>hadoop.http.filter.initializers</name>
<value>org.apache.hadoop.security.AuthenticationFilterInitializer</value>
</property>
<property>
<name>hadoop.http.authentication.type</name>
<value>kerberos</value>
</property>
<property>
<name>hadoop.http.authentication.simple.anonymous.allowed</name>
<value>false</value>
</property>
<property>
<name>hadoop.http.authentication.signature.secret.file</name>
<value>/opt/hadoop/hdfs/default/etc/hadoop/hadoop-http-auth-signature-secret</value>
</property>
<property>
<name>hadoop.http.authentication.kerberos.principal</name>
<value>HTTP/[email protected]</value>
</property>
<property>
<name>hadoop.http.authentication.kerberos.keytab</name>y4
<value>/opt/hadoop/hdfs/default/etc/hadoop/HTTP.keytab</value>
</property>
<property>
<name>hadoop.http.authentication.cookie.domain</name>y4
<value>CLOUD.LOCAL</value>
</property>
I'm able to test the authentication from Linux environment by run:
$ kinit "HTTP/[email protected]"
$ curl -k -v -u "HTTP/[email protected]" --negotiate https://...:50470
This returns good contents.
But when I tried to access from Windows IE, it returns:
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
I already copied /etc/krb5.conf from the server to C:\Windows\krb5.ini and added the hostname to the security zone. What else should I do for the IE to recognize where to find the key?
I even tried to install MIT Kerberos application (http://doc.mapr.com/display/MapR/Configuring+Kerberos+Authentication+for+Windows) to enable the authentication environment, but it still doesn't work, I have no idea now.
Upvotes: 2
Views: 1186
Answers (1)
Reputation: 5594
Windows clients by default don't need a C:\Windows\krb5.ini to negotiate Kerberos. Though you would need it, if you were trying to perform some advance procedures such as validating a Kerberos keytab on the Windows system itself. Going forward, it doesn't hurt to keep that file in place now that you have it there. I think the problem really has to do with IE security zone settings. It might be something you might have missed - as this can be tricky.
- Add
http://192.168.47.143and*.cloud.localto the IE Local Intranet zone on your client machine. - Ensure that Windows credentials are configured to be sent to the remote server in the Intranet Zone (this is the default).
- Under the IE Advanced tab the "Enable Integrated Windows Authentication" box must be checked.
- I would clear out IE Temporary Internet Files, and then run
klist purge, and then restart IE before testing again.
Note that Kerberos works best with host names. Best Practice is to avoid using IP addresses. With Kerberos, clients have to be in the same domain as the target resource unless (1) a working, verifiable trust is in place between the domains, and (2) the target resource must be ACL'd allowing the client to access. Otherwise the token could come across as NTLM, in which case the SPNEGO library will deem it to be a "defective token".
Upvotes: 1
Related Questions
- Kerberized Hadoop Login failure for user ... LoginException: Checksum failed
- HDFS AuthorizationException
- obtaining Kerberos ticker for hdfs user throws an error
- Hadoop authentication with Kerberos error
- Connecting to Kerberrized HDFS , java.lang.IllegalArgumentException: Failed to specify server's Kerberos principal name;
- Can't access HDFS when Hadoop cluster kerberized
- WebHDFS not working on a secure hadoop cluster
- Hadoop webhdfs Authentication required
- Hdfs with Kerberos cannot access from remote server
- HDFS Data node not getting started with kerberos