https://community.cloudera.com/t5/Archives-of-Support-Questions/Yarn-ATS-replay-request-on-security-enabled-cluster/m-p/203282#M59658 <P>Hello community,</P><P>I'have a cluster with kerberos and after a restart I'm having the following error when trying to reach the ATS </P><PRE>&lt;html&gt; &lt;head&gt; &lt;meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/&gt; &lt;title&gt;Error 403 GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))&lt;/title&gt; &lt;/head&gt; &lt;body&gt;&lt;h2&gt;HTTP ERROR 403&lt;/h2&gt; &lt;p&gt;Problem accessing /applicationhistory. Reason: &lt;pre&gt; GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))&lt;/pre&gt;&lt;/p&gt;&lt;hr /&gt;&lt;i&gt;&lt;small&gt;Powered by Jetty://ll&gt;&lt;/i&gt;&lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;/body&gt; &lt;/html&gt;</PRE>I've tried with diferent principals but the issue persist.<P>The resource manager and the rest of the spnego authenticated web consoles still working properly.</P><P>Any idea about what is going on?</P><P>Thank you in advance</P> Wed, 19 Apr 2017 00:57:04 GMT juan_manuel_nie 2017-04-19T00:57:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Yarn-ATS-replay-request-on-security-enabled-cluster/m-p/203282#M59658 <P>Hello community,</P><P>I'have a cluster with kerberos and after a restart I'm having the following error when trying to reach the ATS </P><PRE>&lt;html&gt; &lt;head&gt; &lt;meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/&gt; &lt;title&gt;Error 403 GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))&lt;/title&gt; &lt;/head&gt; &lt;body&gt;&lt;h2&gt;HTTP ERROR 403&lt;/h2&gt; &lt;p&gt;Problem accessing /applicationhistory. Reason: &lt;pre&gt; GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))&lt;/pre&gt;&lt;/p&gt;&lt;hr /&gt;&lt;i&gt;&lt;small&gt;Powered by Jetty://ll&gt;&lt;/i&gt;&lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;br/&gt; &lt;/body&gt; &lt;/html&gt;</PRE>I've tried with diferent principals but the issue persist.<P>The resource manager and the rest of the spnego authenticated web consoles still working properly.</P><P>Any idea about what is going on?</P><P>Thank you in advance</P> Wed, 19 Apr 2017 00:57:04 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Yarn-ATS-replay-request-on-security-enabled-cluster/m-p/203282#M59658 juan_manuel_nie 2017-04-19T00:57:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Yarn-ATS-replay-request-on-security-enabled-cluster/m-p/203283#M59659 <P>Hello <A rel="user" href="https://community.cloudera.com/users/1816/juanmanuelnieto.html" nodeid="1816">@Juan Manuel Nieto</A>,</P><P>The 'request is a replay' usually means that your Kerberos KDC is processing two same requests (almost) at the same time and 'thinks' that the second request is actually a replay attack than a legitimate request. Therefore it will drop the second request.</P><P>Things to check here:</P><P>1. KDC logs - try to find out for which requests and what principal, it is complaining about</P><P>2. Application log - Check YARN ATS log for any possible error w.r.t. Kerberos</P><P>3. Are you using same keytab with multiple services? (apart from spnego.service.keytab which is shared across services on a node). If yes, please try and use different keytabs for different services.</P><P>For the logs, it'll be worth to increase the Kerberos debug level by setting up "-Dsun.security.krb5.debug=true" in the JVM parameters and also try 'export KRB5_TRACE=/tmp/somefile' on the client-side before running a curl request (using browser won't help much).</P><P>Hope this helps !</P> Mon, 24 Apr 2017 20:21:15 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Yarn-ATS-replay-request-on-security-enabled-cluster/m-p/203283#M59659 VR46 2017-04-24T20:21:15Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Yarn-ATS-replay-request-on-security-enabled-cluster/m-p/203284#M59660 <P style="margin-left: 20px;">Hello <A rel="user" href="https://community.cloudera.com/users/740/vrathor.html" nodeid="740">@Vipin Rathor</A>,</P><P style="margin-left: 20px;">An apology for the delay in the answer, finally I solved it, as you said the problem with the replay was that he was trying to authenticate multiple times in a very short time, this was caused by curl and the -L parameter, for some reason curl wasn't storing the session cookie, I fixed it using -c &lt;file path&gt; -b &lt;file path&gt; parameter to store the cookie.</P><P style="margin-left: 20px;">Thank you.</P><P style="margin-left: 20px;"></P><P style="margin-left: 20px;"> </P> Wed, 17 May 2017 22:15:59 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Yarn-ATS-replay-request-on-security-enabled-cluster/m-p/203284#M59660 juan_manuel_nie 2017-05-17T22:15:59Z