https://community.cloudera.com/t5/Support-Questions/Failing-to-connect-to-KDC-during-enable-kerberos-CA/m-p/237341#M199154 <P>I have check the Ambari Server log but it's not really very helpful. </P><P>sudo $JAVA_HOME/bin/keytool -list -v -keystore /var/lib/ambari-server/keys/ambari-server-truststore &gt; /tmp/05122018_Ambari_truststore_cert</P><P>Confirmed the truststore location matches the ambari.properties location under /etc/ambari-server/conf/ambari.properties.</P><P>@Robert Levas , Your suggestion might help but do you not recon it might cause issues later down the line? Feels like it would be a bit "hacky" <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> .. Kind Regards</P><P>05 Dec 2018 14:56:00,217 ERROR [ambari-client-thread-303] KerberosHelperImpl:2232 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosInvalidConfigurationException: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://ad-serverxxxx:636: simple bind failed ad-serverxxxx:636 Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore. 05 Dec 2018 14:56:00,217 ERROR [ambari-client-thread-303] BaseManagementHandler:67 - Bad request received: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://ad-serverxxxx:636 simple bind failed: ad-serverxxx:636 Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore. 05 Dec 2018 15:02:51,205 INFO [ambari-client-thread-554] AmbariManagementControllerImpl:4173 - Received action execution request, clusterName=caphdpoc, request=isCommand :true, action :null, command :KERBEROS_SERVICE_CHECK, inputs :{HAS_RESOURCE_FILTERS=true}, resourceFilters: [RequestResourceFilter{serviceName='KERBEROS', componentName='null', hostNames=[]}], exclusive: false, clusterName :caphdppoc 05 Dec 2018 15:02:51,364 WARN [ambari-client-thread-554] ADKerberosOperationHandler:470 - Failed to communicate with the Active Directory at ldaps://ad-serverxxxx:636:: simple bind failed: ad-serverxxxx:636 javax.naming.CommunicationException: simple bind failed: ad-serverxxxx:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791) at com.sun.jndi.ldap.LdapCtx.&lt;init&gt;(LdapCtx.java:319) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) at javax.naming.InitialContext.init(InitialContext.java:244) at javax.naming.ldap.InitialLdapContext.&lt;init&gt;(InitialLdapContext.java:154) at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createInitialLdapContext(ADKerberosOperationHandler.java:514) at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createLdapContext(ADKerberosOperationHandler.java:465) at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.open(ADKerberosOperationHandler.java:182) at ......</P><P>com.sun.jndi.ldap.Connection.writeRequest(Connection.java:416) at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214) ... 114 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ... 127 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 133 more 05 Dec 2018 15:02:51,367 ERROR [ambari-client-thread-554] KerberosHelperImpl:2232 - Cannot validate credentials: org.apache.ambari.server.serveraction.kerberos.KerberosInvalidConfigurationException: Failed to connect to KDC - Failed to communicate with the Active Directory at ldaps://ad-serverxxxx:636 simple bind failed: ad-serverxxxx:636 Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore. 05 Dec 2018 15:02:51,367 ERROR [ambari-client-thread-554] BaseManagementHandler:67 - Bad request received: Failed to connect to KDC - Failed to communicate with the Active Directory at ldap://ad-serverxxxx:636: simple bind failed: ad-serverxxxx:636 Make sure the server's SSL certificate or CA certificates have been imported into Ambari's truststore.</P> Thu, 06 Dec 2018 23:00:54 GMT nico_jordaan 2018-12-06T23:00:54Z