https://community.cloudera.com/t5/Archives-of-Support-Questions/LDAPS-connection-failure-while-using-Ambari-Kerberos-wizard/m-p/162670#M24765 <P>We are having trouble using the Kerberos wizard in Ambari when testing the connection to our AD domain controllers over LDAPS. They sit behind a load-balancer which is secured using a third-party trusted certificate. Originally we thought that the certificate was at issue as testing with an openssl client was producing a “self-signed” warning. This was corrected though when we updated the underlying OS software and it presumably updated the root certificate.</P><P>The errors we receive in the log are the following:</P><PRE>ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed WARN [qtp-ambari-client-23]KdcServerConnectionVerification:167 - Failed to connect to the KDC server at &lt;servername&gt;:636 over TCP WARN [qtp-ambari-client-23] KdcServerConnectionVerification:197 - Timeout occurred while attempting to communicate with KDC server at &lt;servername&gt;:636 over UDP ERROR[qtp-ambari-client-23] KdcServerConnectionVerification:113 - Failed to connect to the KDC at &lt;servername&gt;:636 using either TCP or UDP</PRE><P>We have tested the port on the load balancer using netcat/openssl and ran a search using ldapsearch, they were all able to connect to that port and ldapsearch returned results. Using the test option in the wizard also works when the connection is to a standard domain controller over port 389. We’ve also been able to setup LDAPS authentication for the Ambari web console to the same load balancer address which also works fine.</P><P>Any insights into what might be wrong or should we move forward with manual creation/distribution of keytabs and principals?</P> Fri, 16 Sep 2022 10:12:53 GMT alan9270 2022-09-16T10:12:53Z https://community.cloudera.com/t5/Archives-of-Support-Questions/LDAPS-connection-failure-while-using-Ambari-Kerberos-wizard/m-p/162670#M24765 <P>We are having trouble using the Kerberos wizard in Ambari when testing the connection to our AD domain controllers over LDAPS. They sit behind a load-balancer which is secured using a third-party trusted certificate. Originally we thought that the certificate was at issue as testing with an openssl client was producing a “self-signed” warning. This was corrected though when we updated the underlying OS software and it presumably updated the root certificate.</P><P>The errors we receive in the log are the following:</P><PRE>ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed ERROR [ambari-kdc-verify] KdcConnection:380 - Authentication failed WARN [qtp-ambari-client-23]KdcServerConnectionVerification:167 - Failed to connect to the KDC server at &lt;servername&gt;:636 over TCP WARN [qtp-ambari-client-23] KdcServerConnectionVerification:197 - Timeout occurred while attempting to communicate with KDC server at &lt;servername&gt;:636 over UDP ERROR[qtp-ambari-client-23] KdcServerConnectionVerification:113 - Failed to connect to the KDC at &lt;servername&gt;:636 using either TCP or UDP</PRE><P>We have tested the port on the load balancer using netcat/openssl and ran a search using ldapsearch, they were all able to connect to that port and ldapsearch returned results. Using the test option in the wizard also works when the connection is to a standard domain controller over port 389. We’ve also been able to setup LDAPS authentication for the Ambari web console to the same load balancer address which also works fine.</P><P>Any insights into what might be wrong or should we move forward with manual creation/distribution of keytabs and principals?</P> Fri, 16 Sep 2022 10:12:53 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/LDAPS-connection-failure-while-using-Ambari-Kerberos-wizard/m-p/162670#M24765 alan9270 2022-09-16T10:12:53Z https://community.cloudera.com/t5/Archives-of-Support-Questions/LDAPS-connection-failure-while-using-Ambari-Kerberos-wizard/m-p/162671#M24766 <A rel="user" href="https://community.cloudera.com/users/4486/alan9270.html" nodeid="4486">@Alan Watt</A><P>The KDC verification process does not use the LDAP interface. It uses the KDC interface. So the port should be 88 not 636. This means that that in the KDC host field you entered in the LDAP details rather than the KDC admin details, thus the failure. </P><P>Try setting the KDC host and KAdmin hosts to &lt;servername&gt;:88 and try again.</P> Fri, 08 Apr 2016 23:37:05 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/LDAPS-connection-failure-while-using-Ambari-Kerberos-wizard/m-p/162671#M24766 rlevas 2016-04-08T23:37:05Z https://community.cloudera.com/t5/Archives-of-Support-Questions/LDAPS-connection-failure-while-using-Ambari-Kerberos-wizard/m-p/162672#M24767 <P>Many thanks, I've changed the port and the connection test is passing.</P> Sat, 09 Apr 2016 00:38:59 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/LDAPS-connection-failure-while-using-Ambari-Kerberos-wizard/m-p/162672#M24767 alan9270 2016-04-09T00:38:59Z