Created 09-05-2017 03:38 PM
Hadoop version: 18.104.22.168.5.3.0-37
ambari version: 2.5.0
The hadoop cluster is kerberized. I have enabled http authentication in HDFS service configuration using ambari using the below link
and now I am trying to access the resource manager using a windows machine. First it asks for username and password and when I give the yarn principal and password it throws below:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Created 09-06-2017 08:09 PM
In order to make this work you need to do a few things:
1. Have a Kerberos Windows client and configure it on your Windows machine
Reference: http://hortonworks.com/wp-content/uploads/2014/05/Product-Guide-HDP-2.1-v1.01.pdf Appendix A.
2. Kinit with this local Windows Kerberos client
3. Setup your browser to forward the ticket through your browser to the Kerberos secured UI (this technique is called SPNEGO or NTLM for IExplorer)
Leads on how to set up your browser can be found here :
It is easiest in Firefox.
Created 09-07-2017 06:18 AM
Hey @Jasper, I have tried all these solutions and enabled firefox as suggested in the blogs but none of these seems to be working for me. I keep on getting the same problem.
Can you please suggest me some other points which might work.
Created 09-07-2017 06:49 AM
What you could try, just to eliminate possible causes, is to setup SSH (Putty) as a proxy to all webUI's within the Kerberized cluster, connect Putty, setup Firefox to use the proxy, kinit locally (Windows) and try again.
I can't help you much with the Windows Kerberos client cause I am on Mac. Check for ways to verify if the kinit was really successful.
You could also use curl on Windows ( curl --negotiate -u: "http://address:port") to do the ticket forwarding in stead of the browser.
Created 04-26-2018 05:08 PM
From here: https://community.hortonworks.com/questions/2580/accessing-hdp-web-ui-from-windows-pc-causes-gsshea....
This worked for me:
"...you need to pass your realm along with the username in username field like username@<REALM>"