Community Articles

Find and share helpful community-sourced technical articles.


After Kerberos HDP/HDF cluster, some native admin UI will return "401 Authentication required".

For example, Ambari Infra Solr Admin UI


This is because the web UI is configured for SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) to extend Kerberos to HTTP. Client must have a valid Kerberos ticket and send by browser.

Mac Kerberos Client Configuration

Kerberos software is installed by default in Mac OS, but need to add configure file to access your KDC server.

$ sudo vi /Library/Preferences/
  default_realm = "HORTONWORKS.COM" 
  dns_fallback = "yes"
  noaddresses = "TRUE"
  admin_server = "" 
  default_domain = "" 
  kdc = "" 

Firefox Configuration

type about:config

search negotiate-auth


Option1 Command Line

command line to init a kerberos ticket

$ kinit hadoopadmin@HORTONWORKS.COM
hadoopadmin@HORTONWORKS.COM's password:

list the ticket

$ klist

Option2 Ticket Viewer

Go to Ticket Viewer Folder CoreServices


Go to the folder: /System/Library/CoreServices/


Find Ticket Viewer


Add Identity


Then you can see the identity


Access UI again



@wbu Thank you for the post but could you please help me understand that how you have created HORTONWORKS.COM (REALM) and "hadoopadmin" principal on mac for which you have generated a ticket using principal's password? I am using "kadmin -l" to init a new REALM "EXAMPLE.COM" in line with cluster REALM and also the username "hadoopadmin" but when I try adding a REALM using "init -r <realm name>", I get:

kadmin: create_random_entry(krbtgt/EXAMPLE.COM@EXAMPLE.COM): randkey failed: Principal does not exist
init -r <realm name>

Or if I try adding a principal "add -r hadoopadmin@EXAMPLE.COM", I get:

kadmin: adding hadoopadmin@EXAMPLE.COM: Principal does not exist
vi /Library/Preferences/ OR vi /etc/krb5.conf = "EXAMPLE.COM" = "EXAMPLE.COM"
  default_realm = "EXAMPLE.COM"
  dns_fallback = "yes"
  noaddresses = "TRUE"
  admin_server = ""
  default_domain = ""
  kdc = ""

As far as I understand, on mac machine following steps must be performed before doing the above given steps:

1. Create vi /etc/krb5.conf

2. Create a new REALM "EXAMPLE.COM" (same as Hadoop cluster Kerberos REALM)

2. Create a new user principal "hadoopadmin" (same as Hadoop cluster Kerberos principal used to access the services)

3. Then only I can create a ticket (kinit) with the same password used in Step 2 while creating the user principal


Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.
Version history
Last update:
‎09-16-2022 01:38 AM
Updated by:
Contributor Contributor
Top Kudoed Authors