I have a good old problem with accessing kerberized web http url from my browser, bumping into an error:
HTTP Status 403 - GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
My environment is a lab, so I have a non-domain computer (not joined to the Active Directory), I have Kerberos KDC running in one linux server, and then several linux servers running Hadoop. The cluster is kerberized, inside the cluster everything works with tickets (hdfs, impala-shell) but from outside I cant access the secured Solr site (and also I assume other sites, as namenode, resource manager web ui, it those would be secured as well).
I tried to google around this problem, read all posts here about spnego, tried everything so far:
1. adding the server running of the Solr into the trusted zones.
2. Downloaded Kerberos client for Windows, and sucessfully acquired a ticket
3. Under Run as Admin cmd: ksetup /addkdc MYREALM.LOCAL <kdchostip>
ksetup /addhosttorealmmap <solrhost> MYREALM.LOCAL
4. Tried Chrome, IE, FireFox
But nothing helped. I guess the error is obvious, because the browser don't know WHERE to contact the hadoop KDC server, even if I did the ksetup, it didnt helped.
Running curl from any of the hadoop nodes:
1. kinit hdpuser
2. curl --negotiate -u : http://192.168.20.41:8983/solr/
works fine so the problem is around my browser, my OS or DNS or I dont know.
I also have this problem, and under any Linux browser all works perfectly fine.
Under Windows Chrome and Firefox are failing with error provided.
It looks like Windows browsers has problem with making Cookie header (hadoop.auth)
It is always empty.
When I do curl and retrieve the Set-Cookie: hadoop.auth= and in Windows browser I add header with some haeder manipulating pluging:
I can get to the Solr web Console.
This is very uncomfortable and hard to do for non technical users.
Do not know what is the difference between Linux Chrome/Firefox and Windows versions.
Don't have any other solution yet.
If any one else can help that would be great!
Here are the main configuration steps for Firefox:
1) You need to open this URL in Firefox
2) Set this: network.negotiate-auth.trusted-uris
Set for any cluster DNS domain requiring negotiated authentication (like the kerberos enabled cluster HTTP authentication).
2) Set this: network.auth.use-sspi=false
3) Restart Firefox
4) You have to download the Windows isntaller from here:
5) Copy the Kerberos client configuration to here (this is the same what you have on Solr node /etc/krb5.conf):
6) Create a ticket with the MIT kerberos GUI client
7) Open the Solr URL:
Thank you for your reply.
I've done all the steps you've mentioned before beside setting: network.auth.use-sspi=false; FF restart.
I'll try that and will let you know if that helped.
Thank you very much!
Can you tell if this is also possible to make this magic to InternetExplorer/Edge and Chrome?
Windows Chrome and IE both use Windows OS settings. Because SSPI is native to Windows environments, it may not offer an equivalent authentication mechanism for MIT kerberos environments. I recommend using only Firefox on Windows if you would like to use SPNEGO.
Still no luck with your method.
After more dig, combine with this method works for me:
Hope help others