Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Accessing HDP web UI from Windows PC causes "GSSHeader did not find the right tag"

avatar
author-rank hosako
Guru

Created on ‎11-02-2015 06:10 AM - edited ‎09-16-2022 02:47 AM

HDP version : 2.3.0 Ambari version: 2.1.0

Enabled Kerberos with Windows Active Directory (not cross-realm) from Ambari.

Confirmed kinit and curl to WebHDFS worked with an AD user.

Followed http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_configurin...

Again, confirmed kdestroy & kinit and curl to WebHDFS and NameNode UI worked with an AD user.

Now, tried to access HDP NameNode UI page from Firefox on Windows PC. 

Copied /etc/krb5.conf to C:\Windows\krb5.ini.
Followed some instruction found on internet to set up Firefox.
And didn't work. The error was "GSSHeader did not find the right tag"

For troubleshooting purpose, downloaded curl.exe from http://curl.haxx.se/download.html

Trying to access HDP, for example, NameNode:50070 with curl --negotiate, and got same error "GSSHeader did not find the right tag"

Copied "/etc/security/keytabs/spnego.service.keytab" into Windows and did kinit -k -t and curl --negotiate but same error.

Does anyone know what would be missing to make Windows PC work to access secured web page?

18,000 Views
0
2 ACCEPTED SOLUTIONS

avatar
author-rank jstraub
Guru

Created ‎11-02-2015 12:03 PM

You're probably running into the latest JDK/Kerberos issue.

What JDK Version do you have? 1.8.0_40?

The JDK 1.8.0_40 has a bug and throws the following error: 

GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
The token supplied by the client is not accepted by the server.

This is because Windows sends an NTLM based ticket not a kerberos based ticket.

I had this issue a couple weeks ago, it is fixed in 1.8.0_60, so the easiest way is to upgrade the JDK on your nodes.

View solution in original post

10,461 Views
0

avatar
author-rank prashantb123a
New Contributor

Created ‎04-11-2017 02:01 PM

I am getting same error. I have openjdk version "1.8.0_121". Hadoop cluster (HDP 2.5) is kerberized.

Could you please help me here?

View solution in original post

10,859 Views
0 Kudos
0
16 REPLIES 16

avatar
author-rank prashantb123a
New Contributor

Created ‎04-11-2017 02:01 PM

I am getting same error. I have openjdk version "1.8.0_121". Hadoop cluster (HDP 2.5) is kerberized.

Could you please help me here?

10,860 Views
0 Kudos
0

avatar
author-rank bhaveshvv109
Contributor

Created ‎06-30-2016 12:20 PM

I am also getting same error when I tried to access web UI from Window Machine.

Could you please let me know what actions I should take in order to access the HDP Web UI. I am able to access same Web UI using curl on one of my hadoop cluster machine (Linux) but same URL is not working from Window 7 Machine (Chrome Version 51.0.2704.103 m). It asks for username and password and I supplied the same which I have created on Kerberos Server but no success.

We are using HDP-2.4.0, Kerberos5 and JDK-1.8.0_60

Error Message on Browser: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

Please note: My cluster is on example.com which is specific to HDP cluster only and my windows machine is connected with different AD realm and we do not want to create any relationship between them, whatever changes required we can make on client machine (Windows 7) and HDP cluster only.

Appreciate your help.

Thanks

5,592 Views
0 Kudos

avatar
author-rank RajbMandal
Expert Contributor

Created ‎08-04-2016 02:21 PM

@Jonas Straub

I use JDK "1.8.0_91".But still getting same error.

5,592 Views
0 Kudos

avatar
author-rank shyamshaw author-rank
Expert Contributor

Created ‎09-05-2017 09:25 AM

Hi, @sachin gupta Are you using AD Kerberos or MIT? When you try to access Web UI, it will ask for username/password.

We had AD Kerberos in our environment. We were passing username (after successful kinit for that user) in the username field and password for that user and receiving error "GSSHeader did not find the right tag".

Here you need to pass your realm along with the username in username field like username@<REALM>.

Also, check you JDK version.

5,592 Views

avatar
author-rank sachinsga_com
Rising Star

Created ‎09-05-2017 11:18 AM

@Shyam Shaw We are using MIT. I am creating the ticket using MIT client for windows and gave the username as you had suggested with realm and password but still I am gettingGSSHeader did not find the right tag. Could you please help me with some more clues which I can try to make it work.

And one more thing I tried to access the RM web console using a linux machine, on that its throwing "Authentication Required" error.

5,592 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎09-05-2017 11:43 AM

@sachin gupta

This is a very old thread and the issue was solved by Jonas, for a new case please open a new thread. Member tend to ignore very OLD threads

5,592 Views
0 Kudos

avatar
author-rank sachinsga_com
Rising Star

Created ‎09-05-2017 03:39 PM

thanks for suggesting. Created a new thread

https://community.hortonworks.com/questions/135805/accessing-hdp-web-ui-from-windows-pc-causes-gsshe...

5,592 Views
0 Kudos
Announcements
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements