Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Accessing HDP web UI from Windows PC causes "GSSHeader did not find the right tag"

avatar
author-rank hosako
Guru

Created on ‎11-02-2015 06:10 AM - edited ‎09-16-2022 02:47 AM

HDP version : 2.3.0 Ambari version: 2.1.0

Enabled Kerberos with Windows Active Directory (not cross-realm) from Ambari.

Confirmed kinit and curl to WebHDFS worked with an AD user.

Followed http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_configurin...

Again, confirmed kdestroy & kinit and curl to WebHDFS and NameNode UI worked with an AD user.

Now, tried to access HDP NameNode UI page from Firefox on Windows PC. 

Copied /etc/krb5.conf to C:\Windows\krb5.ini.
Followed some instruction found on internet to set up Firefox.
And didn't work. The error was "GSSHeader did not find the right tag"

For troubleshooting purpose, downloaded curl.exe from http://curl.haxx.se/download.html

Trying to access HDP, for example, NameNode:50070 with curl --negotiate, and got same error "GSSHeader did not find the right tag"

Copied "/etc/security/keytabs/spnego.service.keytab" into Windows and did kinit -k -t and curl --negotiate but same error.

Does anyone know what would be missing to make Windows PC work to access secured web page?

18,195 Views
0
2 ACCEPTED SOLUTIONS

avatar
author-rank jstraub
Guru

Created ‎11-02-2015 12:03 PM

You're probably running into the latest JDK/Kerberos issue.

What JDK Version do you have? 1.8.0_40?

The JDK 1.8.0_40 has a bug and throws the following error: 

GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
The token supplied by the client is not accepted by the server.

This is because Windows sends an NTLM based ticket not a kerberos based ticket.

I had this issue a couple weeks ago, it is fixed in 1.8.0_60, so the easiest way is to upgrade the JDK on your nodes.

View solution in original post

10,656 Views
0

avatar
author-rank prashantb123a
New Contributor

Created ‎04-11-2017 02:01 PM

I am getting same error. I have openjdk version "1.8.0_121". Hadoop cluster (HDP 2.5) is kerberized.

Could you please help me here?

View solution in original post

11,054 Views
0 Kudos
0
16 REPLIES 16

avatar
author-rank rlevas
Guru

Created ‎11-02-2015 11:11 AM

Have you tried to use another browser like Internet Explorer or Chrome? I understand that you tried curl as well as Firefox, but both may have issues on Windows.

What version of Windows are you using?

Does the user use that Active Directory to login to the Windows box or are you kinit-ing manually?

8,832 Views

avatar
author-rank jstraub
Guru

Created ‎11-02-2015 12:03 PM

You're probably running into the latest JDK/Kerberos issue.

What JDK Version do you have? 1.8.0_40?

The JDK 1.8.0_40 has a bug and throws the following error: 

GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
The token supplied by the client is not accepted by the server.

This is because Windows sends an NTLM based ticket not a kerberos based ticket.

I had this issue a couple weeks ago, it is fixed in 1.8.0_60, so the easiest way is to upgrade the JDK on your nodes.

10,657 Views
0

avatar
author-rank hosako
Guru

Created ‎11-03-2015 02:35 AM

Thanks. Found http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8080129

8,832 Views

avatar
author-rank jstraub
Guru

Created ‎11-03-2015 10:49 AM

Thanks for the official Oracle bug reference. I'll see if I can raise this internally and we can change the default/recommended JDK to 1.8.0_60 in our docs

8,832 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎11-30-2015 12:46 AM

@Hajime Thanks for sharing the bug details.

8,832 Views
0 Kudos

avatar
author-rank shyamshaw author-rank
Expert Contributor

Created ‎01-16-2017 11:37 AM

@Jonas Straub

I am using jdk1.8.0_60 but still facing the same issue when accessing web UI's.

GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

8,832 Views
0 Kudos

avatar
author-rank shyamshaw author-rank
Expert Contributor

Created ‎01-16-2017 01:40 PM

@Jonas Straub

Issue is now resolved. The issue was with kerberos ticket and not with JDK. Thanks!!!

8,832 Views
0 Kudos

avatar
author-rank ujfjhz
New Contributor

Created ‎05-05-2017 02:24 AM

Hello @Shyam Shaw, could you please teach me how did you resolved this issue? Thank you.

I've googled a lot and always get this error.

8,832 Views
0 Kudos

avatar
author-rank sachinsga_com
Rising Star

Created ‎09-05-2017 09:10 AM

Hey @Shyam Shaw, could you please help me with the solution for this problem ?

8,832 Views
0 Kudos
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements