Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

403 error with 'unsupported key type' message upon accessing spengo enabled storm UI.


We have a kerberised hdp cluster ( 2.6.5 ) deployed in AWS. AWS network architecture is in such a way that all the hdp component nodes are under private subnet and the access to them is only via ssh from bastion node which is in public subnet. We have enabled all the web components ( Storm UI, Metron UI, Metron Management UI etc ) available outside via AWS ELB load balancer to the outside world.

Our kerberos server and kdc admin is available outside via ssh tunneling via bastion node, This is for the external accessing client to authenticate eg : Spnego.

When we access our storm UI via browser with proper step taken for to pass spengo authentication, We are getting 403 error even with proper keytab and principal.

Error getting in /var/log/storm/ui.out in storm UI hosted node

Found KeyTab /etc/security/keytabs/spnego.service.keytab for HTTP/sdssystemmaster2@EXAMPLE.COM 
Looking for keys for: HTTP/sdssystemmaster2@EXAMPLE.COM
Found unsupported keytype (3) for HTTP/sdssystemmaster2@EXAMPLE.COM 
MemoryCache: add 1536315369/301662/8ABC886166F6808EA668D561462EDD37/metron@EXAMPLE.COM to metron@HOST. 

Steps followed :

1- Installed kerberos client

2- Copied krb5.conf file from kerberose node to local file krb5.ini and configured

  renew_lifetime = 7d
  forwardable = true
  default_realm = EXAMPLE.COM
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
    admin_server = localhost
    kdc = localhost

3- Copied keytab file of principal - HTTP/sdssystemmaster2@EXAMPLE.COM


4- kinit executed () and ticket seems to be generated fine (screenshot added)


5- Configured firefox about:config network.negotiate-

auth.trusted-uris : loadbalancer-url 
network.negotiate-auth.delegation-uris : loadbalancer-url 
network.negotiate-auth.gsslib : C:\Program Files\MIT\Kerberos\bin\gssapi64.dll 
network.negotiate-auth.using-native-gsslib : false 

6- Loaded the storm UI

Storm UI spengo Kerberos configuration

ui.filter :
ui.filter.params : {'type': 'kerberos', 'kerberos.principal': '{{storm_ui_jaas_principal}}', 'kerberos.keytab':'{{storm_ui_keytab_path}}' , '': 'DEFAULT'}
storm_ui_keytab : /etc/security/keytabs/spnego.service.keytab storm_ui_principal_name : HTTP/_HOST@EXAMPLE.COM

@Lija Mohan

Key type 3 is DES_CBC_MD5, which is pretty much deprecated (see, but by default Ambari requests/creates keytab entries using this type for backwards compatibility. Your KDC is probably rejecting keys encrypted with this type.

To fix this, you should go into the Kerberos service settings and edit the "Encryption Type" value under the "Advanced kerberos-env" section. The default value is "aes des3-cbc-sha1 rc4 des-cbc-md5". Change it to "aes des3-cbc-sha1 rc4".

You will also want to update the "krb5-conf template" value under "Advanced krb5-conf" to add the following under the "[libdefaults]" section:

allow_weak_crypto = false

After saving the changes and restarting the Kerberos service (which ensure the krb5.conf file is synced up), you should restart all of the services.

If you still see issues, maybe regenerate all keytab files (Admin->Kerberos) and then restart all services. However depending on the KDC implementation you may or may not see a change in the generated keytab files. By default they will look like

[root@c7401 ~]# klist -kte /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 09/14/2018 15:06:22 HTTP/ (des3-cbc-sha1)
   2 09/14/2018 15:06:22 HTTP/ (des-cbc-md5)
   2 09/14/2018 15:06:22 HTTP/ (aes128-cts-hmac-sha1-96)
   2 09/14/2018 15:06:22 HTTP/ (arcfour-hmac)
   2 09/14/2018 15:06:22 HTTP/ (aes256-cts-hmac-sha1-96)