Created on 11-02-2015 06:10 AM - edited 09-16-2022 02:47 AM
HDP version : 2.3.0 Ambari version: 2.1.0
Enabled Kerberos with Windows Active Directory (not cross-realm) from Ambari.
Confirmed kinit and curl to WebHDFS worked with an AD user.
Followed http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_configurin...
Again, confirmed kdestroy & kinit and curl to WebHDFS and NameNode UI worked with an AD user.
Now, tried to access HDP NameNode UI page from Firefox on Windows PC.
Copied /etc/krb5.conf to C:\Windows\krb5.ini. Followed some instruction found on internet to set up Firefox. And didn't work. The error was "GSSHeader did not find the right tag"
For troubleshooting purpose, downloaded curl.exe from http://curl.haxx.se/download.html
Trying to access HDP, for example, NameNode:50070 with curl --negotiate, and got same error "GSSHeader did not find the right tag"
Copied "/etc/security/keytabs/spnego.service.keytab" into Windows and did kinit -k -t and curl --negotiate but same error.
Does anyone know what would be missing to make Windows PC work to access secured web page?
Created 11-02-2015 12:03 PM
You're probably running into the latest JDK/Kerberos issue.
What JDK Version do you have? 1.8.0_40?
The JDK 1.8.0_40 has a bug and throws the following error:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) The token supplied by the client is not accepted by the server.
This is because Windows sends an NTLM based ticket not a kerberos based ticket.
I had this issue a couple weeks ago, it is fixed in 1.8.0_60, so the easiest way is to upgrade the JDK on your nodes.
Created 04-11-2017 02:01 PM
I am getting same error. I have openjdk version "1.8.0_121". Hadoop cluster (HDP 2.5) is kerberized.
Could you please help me here?
Created 04-11-2017 02:01 PM
I am getting same error. I have openjdk version "1.8.0_121". Hadoop cluster (HDP 2.5) is kerberized.
Could you please help me here?
Created 06-30-2016 12:20 PM
I am also getting same error when I tried to access web UI from Window Machine.
Could you please let me know what actions I should take in order to access the HDP Web UI. I am able to access same Web UI using curl on one of my hadoop cluster machine (Linux) but same URL is not working from Window 7 Machine (Chrome Version 51.0.2704.103 m). It asks for username and password and I supplied the same which I have created on Kerberos Server but no success.
We are using HDP-2.4.0, Kerberos5 and JDK-1.8.0_60
Error Message on Browser: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Please note: My cluster is on example.com which is specific to HDP cluster only and my windows machine is connected with different AD realm and we do not want to create any relationship between them, whatever changes required we can make on client machine (Windows 7) and HDP cluster only.
Appreciate your help.
Thanks
Created 08-04-2016 02:21 PM
I use JDK "1.8.0_91".But still getting same error.
Created 09-05-2017 09:25 AM
Hi, @sachin gupta Are you using AD Kerberos or MIT? When you try to access Web UI, it will ask for username/password.
We had AD Kerberos in our environment. We were passing username (after successful kinit for that user) in the username field and password for that user and receiving error "GSSHeader did not find the right tag".
Here you need to pass your realm along with the username in username field like username@<REALM>.
Also, check you JDK version.
Created 09-05-2017 11:18 AM
@Shyam Shaw We are using MIT. I am creating the ticket using MIT client for windows and gave the username as you had suggested with realm and password but still I am gettingGSSHeader did not find the right tag. Could you please help me with some more clues which I can try to make it work.
And one more thing I tried to access the RM web console using a linux machine, on that its throwing "Authentication Required" error.
Created 09-05-2017 11:43 AM
This is a very old thread and the issue was solved by Jonas, for a new case please open a new thread. Member tend to ignore very OLD threads
Created 09-05-2017 03:39 PM
thanks for suggesting. Created a new thread