https://community.cloudera.com/t5/Support-Questions/Error-creating-login-context-using-ticket-cache-Unable-to/m-p/387489#M246329 <P>Dear&nbsp;@Former Member, much thanks for the reply.&nbsp; I am using Kerberos outbound only setup and I have followed all steps including registry key change to allow TGTSession sharing (WIN Memory).&nbsp; I have not se any jaas.conf.&nbsp; The examples I find use file based cache.&nbsp; Also, below is a debug output of what the session sees:</P><P>get normal credential<BR />&gt;&gt;&gt; KrbCreds found the default ticket granting ticket in credential cache.<BR />Java config name: null<BR />Native config name: C:\Windows\krb5.ini<BR />Loaded from native config<BR />&gt;&gt;&gt; Obtained TGT from LSA: Credentials:<BR />client=demo@DC1.PW.ORG<BR />server=krbtgt/DC1.PW.ORG@DC1.PW.ORG<BR />authTime=20240425145720Z<BR />startTime=20240425145720Z<BR />endTime=20240426005720Z<BR />renewTill=null<BR />flags=INITIAL;PRE-AUTHENT</P><P>Question, when I go to C:\Windows\krb5.ini (of demo user) there is no such file,&nbsp; how should I interpret this?</P><P>#2 all jaas config sample I see are pointing to file-based cache or where IWA is enabled.&nbsp; I have not, what I have done is enabled WIN memory sharing of the TGT ticket, enabled unconstrained delegation, ensure all steps &amp; settings nuances for a WIN are placed.</P><P>I do appreciate the help!!!</P> Thu, 02 May 2024 00:15:55 GMT rsheikh 2024-05-02T00:15:55Z https://community.cloudera.com/t5/Support-Questions/Error-creating-login-context-using-ticket-cache-Unable-to/m-p/387410#M246312 <P>Hello my client is a WIN server 2019, setup outbound Kerberos only, I have enabled WIN registry keys for TGT Session sharing, environment var pointing to CDP JARS, CONFIG paths and default Java_Home to the bundled Zulu private JRE which these days is using Java 11 and comes with unlimited strength JCE (per provider).&nbsp; I could do kinit and receive klist.&nbsp;&nbsp;</P><P>SAS is the application.&nbsp; I have setup the CDP JDBC URI provided by CDP team and trustore w credentials.</P><P>I have <STRONG>not done</STRONG> krb5.ini, nor jaas config, nor pointed the env variable&nbsp;java.security.auth.login.config to jaas config.</P><P>I get this error:</P><P>ERROR: java.sql.SQLException: [Cloudera][HiveJDBCDriver](500168) Error creating login context using ticket cache: Unable to obtain Principal Name for authentication .</P><P>ERROR: Error trying to establish connection: [Cloudera][HiveJDBCDriver](500168) Error creating login context using ticket cache:&nbsp;Unable to obtain Principal Name for authentication .</P><P>I researched here and some questions are around 2017-18 and community manager responded to another user to start a new question, hence my question here.&nbsp;&nbsp;</P><P>Thank you in advance for your time and suggestions.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 30 Apr 2024 14:24:13 GMT https://community.cloudera.com/t5/Support-Questions/Error-creating-login-context-using-ticket-cache-Unable-to/m-p/387410#M246312 rsheikh 2024-04-30T14:24:13Z https://community.cloudera.com/t5/Support-Questions/Error-creating-login-context-using-ticket-cache-Unable-to/m-p/387471#M246321 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/22956">@rsheikh</a>&nbsp;</P><UL><LI>Ensure that the Kerberos configuration (krb5.ini) is correctly set up on your Windows Server 2019 machine. The krb5.ini file should contain the necessary realm and KDC (Key Distribution Center) information for your Kerberos setup.</LI><LI>Set the java.security.auth.login.config environment variable to point to the JAAS (Java Authentication and Authorization Service) configuration file (jaas.conf). This file defines the login modules used for authentication.</LI><LI>Verify that the realm and principal settings in krb5.ini match the configuration of your Kerberos environment.</LI></UL><P>&nbsp;</P><P>Regards,</P><P>Chethan YM</P> Wed, 01 May 2024 11:50:51 GMT https://community.cloudera.com/t5/Support-Questions/Error-creating-login-context-using-ticket-cache-Unable-to/m-p/387471#M246321 ChethanYM 2024-05-01T11:50:51Z https://community.cloudera.com/t5/Support-Questions/Error-creating-login-context-using-ticket-cache-Unable-to/m-p/387489#M246329 <P>Dear&nbsp;@Former Member, much thanks for the reply.&nbsp; I am using Kerberos outbound only setup and I have followed all steps including registry key change to allow TGTSession sharing (WIN Memory).&nbsp; I have not se any jaas.conf.&nbsp; The examples I find use file based cache.&nbsp; Also, below is a debug output of what the session sees:</P><P>get normal credential<BR />&gt;&gt;&gt; KrbCreds found the default ticket granting ticket in credential cache.<BR />Java config name: null<BR />Native config name: C:\Windows\krb5.ini<BR />Loaded from native config<BR />&gt;&gt;&gt; Obtained TGT from LSA: Credentials:<BR />client=demo@DC1.PW.ORG<BR />server=krbtgt/DC1.PW.ORG@DC1.PW.ORG<BR />authTime=20240425145720Z<BR />startTime=20240425145720Z<BR />endTime=20240426005720Z<BR />renewTill=null<BR />flags=INITIAL;PRE-AUTHENT</P><P>Question, when I go to C:\Windows\krb5.ini (of demo user) there is no such file,&nbsp; how should I interpret this?</P><P>#2 all jaas config sample I see are pointing to file-based cache or where IWA is enabled.&nbsp; I have not, what I have done is enabled WIN memory sharing of the TGT ticket, enabled unconstrained delegation, ensure all steps &amp; settings nuances for a WIN are placed.</P><P>I do appreciate the help!!!</P> Thu, 02 May 2024 00:15:55 GMT https://community.cloudera.com/t5/Support-Questions/Error-creating-login-context-using-ticket-cache-Unable-to/m-p/387489#M246329 rsheikh 2024-05-02T00:15:55Z https://community.cloudera.com/t5/Support-Questions/Error-creating-login-context-using-ticket-cache-Unable-to/m-p/387524#M246337 <P>update: I have made some progress, placed the krb5.ini file.&nbsp; Currently at:</P><PRE> ERROR: Caused by: com.cloudera.hiveserver2.support.exceptions.GeneralException: [Cloudera][HiveJDBCDriver](500168) Error creating <BR />login context using ticket cache: Unable to obtain Principal Name for authentication .<BR />ERROR: ... 12 more<BR />ERROR: Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication </PRE><P>&nbsp;May I get an example of a jaas.conf file I did find some using keytab etc while my setup is memory based sharing of tgt tickets.&nbsp; I appreciate your time.</P><P>Thank you in advance.</P> Thu, 02 May 2024 20:09:31 GMT https://community.cloudera.com/t5/Support-Questions/Error-creating-login-context-using-ticket-cache-Unable-to/m-p/387524#M246337 rsheikh 2024-05-02T20:09:31Z https://community.cloudera.com/t5/Support-Questions/Error-creating-login-context-using-ticket-cache-Unable-to/m-p/387695#M246395 <P>For doc purpose and if it could be helpful to someone</P><OL><LI>We took krb5.ini that was used at the CDP cluster and saved it to client WIN server</LI><LI>We used LogLevel=6 LogPath=&lt;some-path&gt; in our jdbc URI to enable trace level log</LI></OL><P>Based on findings from the trace level logs&nbsp;java.security.auth.login.config was pointing to an incorrect login module.&nbsp; Since we turned on memory based cache, removing pointer to the&nbsp;java.security.auth.login.config forced correct tgt ticket to be picked.&nbsp; We did not opt for a custom jaas.conf either.</P><P>There were minor tweak of domain &amp; realm value.</P><P>This resolved our issue.</P> Wed, 08 May 2024 21:43:13 GMT https://community.cloudera.com/t5/Support-Questions/Error-creating-login-context-using-ticket-cache-Unable-to/m-p/387695#M246395 rsheikh 2024-05-08T21:43:13Z