Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Hue Kerberos Ticket Renewer Issue

Labels:
avatar
author-rank ateka_18
Explorer

Created ‎12-03-2020 05:25 AM

Hi,

 

How to resolve "Hue Kerberos Ticket Renewer" Issue. We are having 2 Kerberos Ticket Renewer in Hue and we are using Windows AD as KDC. Both are down and not coming up even after multiple restart.

 

The config are as follows:

 

Max Lifetime for User ticket - 1hour

Max Lifetime for User ticket renewal - 7days.

 

Can anyone suggest how to resolve this.

1,786 Views
0 Kudos
2 REPLIES 2

avatar
author-rank Nuha
New Contributor

Created ‎12-03-2020 06:38 AM

We faced similar issue on our env, we found that there is a patch required now. You can raise a case with Cloudera and get the patch for your version of cloudera.

1,771 Views
0 Kudos

avatar
author-rank GangWar author-rank
Master Guru

Created ‎12-04-2020 03:47 AM

@ateka_18 Here is the Cause and Solution of this issue. 

 

Cause: 

Microsoft recently rolled out an Active Directory update for CVE-2020-17049 [1].

This update indicates:

'When the registry key is set to 1, patched domain controllers will issue service tickets and Ticket-Granting Tickets (TGT)s that are not renewable and will refuse to renew existing service tickets and TGTs. Windows clients are not impacted by this since they never renew service tickets or TGTs. Third-party Kerberos clients may fail to renew service tickets or TGTs acquired from unpatched DCs. If all DCs are patched with the registry settings to 1, third-party clients will no longer receive renewable tickets.

Now the Solution is:

 

We have found out that MSFT has also released a fix for the Kerberos authentication issue. To fix the Windows AD, you can engage with the AD team to apply one of the following patches that MSFT has provided to fix the Kerberos authentication issue. Please link on the appropriate link based on the flavor of the Windows Server. 

Windows Server 2012: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594438 
Windows Server 2012 R2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594439Windows Server 2016: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594441 
Windows Server 2019: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594442 
Windows Server 1903: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443 
Windows Server 1909: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443 
Windows Server 2004: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440 
Windows Server 20H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440 

Once the patch is applied, the application will be able to renew the tickets without theneed to apply any patch for Hue. 

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

 So in short you have to ask you AD team to apply the below patch on Domain Controllers to resolve this  issue since it's a Microsoft Vulnerability.

 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
1,744 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements