Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Accessing HDP web UI from Windows PC causes "GSSHeader did not find the right tag" after enabling http authentication.

Hadoop version:

ambari version: 2.5.0

The hadoop cluster is kerberized. I have enabled http authentication in HDFS service configuration using ambari using the below link

and now I am trying to access the resource manager using a windows machine. First it asks for username and password and when I give the yarn principal and password it throws below:

GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

Super Collaborator

Hi Sachin,

In order to make this work you need to do a few things:

1. Have a Kerberos Windows client and configure it on your Windows machine

Reference: Appendix A.

2. Kinit with this local Windows Kerberos client

3. Setup your browser to forward the ticket through your browser to the Kerberos secured UI (this technique is called SPNEGO or NTLM for IExplorer)

Leads on how to set up your browser can be found here :

It is easiest in Firefox.

Hey @Jasper, I have tried all these solutions and enabled firefox as suggested in the blogs but none of these seems to be working for me. I keep on getting the same problem.

Can you please suggest me some other points which might work.

Super Collaborator

@sachin gupta

What you could try, just to eliminate possible causes, is to setup SSH (Putty) as a proxy to all webUI's within the Kerberized cluster, connect Putty, setup Firefox to use the proxy, kinit locally (Windows) and try again.

I can't help you much with the Windows Kerberos client cause I am on Mac. Check for ways to verify if the kinit was really successful.

You could also use curl on Windows ( curl --negotiate -u: "http://address:port") to do the ticket forwarding in stead of the browser.


From here:

This worked for me:

" need to pass your realm along with the username in username field like username@<REALM>"

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.