Reply
Master
Posts: 281
Registered: ‎07-01-2015

Cant access secured web UI - Solr UI (GSSException: Defective token detected)

Hi guys,

 I have a good old problem with accessing kerberized web http url from my browser, bumping into an error:

 

HTTP Status 403 - GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

 

My environment is a lab, so I have a non-domain computer (not joined to the Active Directory), I have Kerberos KDC running in one linux server, and then several linux servers running Hadoop. The cluster is kerberized, inside the cluster everything works with tickets (hdfs, impala-shell) but from outside I cant access the secured Solr site (and also I assume other sites, as namenode, resource manager web ui, it those would be secured as well).

 

I tried to google around this problem, read all posts here about spnego, tried everything so far:

1. adding the server running of the Solr into the trusted zones.

2. Downloaded Kerberos client for Windows, and sucessfully acquired a ticket

3. Under Run as Admin cmd: ksetup /addkdc MYREALM.LOCAL <kdchostip>

                                               ksetup /addhosttorealmmap <solrhost> MYREALM.LOCAL

4. Tried Chrome, IE, FireFox

 

But nothing helped. I guess the error is obvious, because the browser don't know WHERE  to contact the hadoop KDC server, even if I did the ksetup, it didnt helped. 

 

Running curl from any of the hadoop nodes:

 1. kinit hdpuser

 2. curl --negotiate -u : http://192.168.20.41:8983/solr/

works fine so the problem is around my browser, my OS or DNS or I dont know.

 

Any hints? 

Contributor
Posts: 34
Registered: ‎01-11-2016

Re: Cant access secured web UI - Solr UI (GSSException: Defective token detected)

I also have this problem, and under any Linux browser all works perfectly fine.

Under Windows Chrome and Firefox are failing with error provided.

 

It looks like Windows browsers has problem with making Cookie header (hadoop.auth)

  1. Cookie: hadoop.auth=

It is always empty.

When I do curl and retrieve the Set-Cookie: hadoop.auth= and in Windows browser I add header with some haeder manipulating pluging:

Cookie: hadoop.auth=${RETRIEVED_STRING}

I can get to the Solr web Console.

 

This is very uncomfortable and hard to do for non technical users.

Do not know what is the difference between Linux Chrome/Firefox and Windows versions.

 

Don't have any other solution yet.

If any one else can help that would be great!

Master
Posts: 281
Registered: ‎07-01-2015

Re: Cant access secured web UI - Solr UI (GSSException: Defective token detected)

Thanks for your experience.
Posts: 49
Topics: 0
Kudos: 11
Blog Posts: 0
Ideas: 0
Solutions: 5
Registered: ‎11-26-2015

Re: Cant access secured web UI - Solr UI (GSSException: Defective token detected)

Here are the main configuration steps for Firefox:

 

1) You need to open this URL in Firefox

 

about:config

 

2) Set this: network.negotiate-auth.trusted-uris 

 

Set for any cluster DNS domain requiring negotiated authentication (like the kerberos enabled cluster HTTP authentication). 

 

Example:

 

network.negotiate-auth.trusted-uris=.lily.cloudera.com,.solr.cloudera.com

 

2) Set this: network.auth.use-sspi=false

3) Restart Firefox

4) You have to download the Windows isntaller from here:

 

http://web.mit.edu/kerberos/dist/#kfw-4.0

 

5) Copy the Kerberos client configuration to here (this is the same what you have on Solr node /etc/krb5.conf):

 

C:\ProgramData\MIT\Kerberos5\krb5.ini

 

6) Create a ticket with the MIT kerberos GUI client


7) Open the Solr URL:

http://<hostname>:8983/solr/

Contributor
Posts: 34
Registered: ‎01-11-2016

Re: Cant access secured web UI - Solr UI (GSSException: Defective token detected)

Hi roczei,

 

Thank you for your reply.

 

I've done all the steps you've mentioned before beside setting: network.auth.use-sspi=false; FF restart.

I'll try that and will let you know if that helped.

Contributor
Posts: 34
Registered: ‎01-11-2016

Re: Cant access secured web UI - Solr UI (GSSException: Defective token detected)

Hi roczei

 

Thank you very much!

It works!

 

Can you tell if this is also possible to make this magic to InternetExplorer/Edge and Chrome?

Posts: 49
Topics: 0
Kudos: 11
Blog Posts: 0
Ideas: 0
Solutions: 5
Registered: ‎11-26-2015

Re: Cant access secured web UI - Solr UI (GSSException: Defective token detected)

Windows Chrome and IE both use Windows OS settings.  Because SSPI is native to Windows environments, it may not offer an equivalent authentication mechanism for MIT kerberos environments. I recommend using only Firefox on Windows if you would like to use SPNEGO.

Explorer
Posts: 10
Registered: ‎03-24-2015

Re: Cant access secured web UI - Solr UI (GSSException: Defective token detected)

[ Edited ]

Still no luck with your method.

After more dig, combine with this method works for me:

https://community.cloudera.com/t5/Cloudera-Manager-Installation/Kerberos-authentication-from-windows...

 

Hope help others

New Contributor
Posts: 1
Registered: ‎08-10-2017

Re: Cant access secured web UI - Solr UI (GSSException: Defective token detected)

This workaround was useful !
Announcements