Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

Hue Kerberos Ticket Renewer Issue




How to resolve "Hue Kerberos Ticket Renewer" Issue. We are having 2 Kerberos Ticket Renewer in Hue and we are using Windows AD as KDC. Both are down and not coming up even after multiple restart.


The config are as follows:


Max Lifetime for User ticket - 1hour

Max Lifetime for User ticket renewal - 7days.


Can anyone suggest how to resolve this.


New Contributor

We faced similar issue on our env, we found that there is a patch required now. You can raise a case with Cloudera and get the patch for your version of cloudera.

Master Guru

@ateka_18 Here is the Cause and Solution of this issue. 



Microsoft recently rolled out an Active Directory update for CVE-2020-17049 [1].

This update indicates:

'When the registry key is set to 1, patched domain controllers will issue service tickets and Ticket-Granting Tickets (TGT)s that are not renewable and will refuse to renew existing service tickets and TGTs. Windows clients are not impacted by this since they never renew service tickets or TGTs. Third-party Kerberos clients may fail to renew service tickets or TGTs acquired from unpatched DCs. If all DCs are patched with the registry settings to 1, third-party clients will no longer receive renewable tickets.

Now the Solution is:


We have found out that MSFT has also released a fix for the Kerberos authentication issue. To fix the Windows AD, you can engage with the AD team to apply one of the following patches that MSFT has provided to fix the Kerberos authentication issue. Please link on the appropriate link based on the flavor of the Windows Server. 

Windows Server 2012:
Windows Server 2012 R2: Server 2016:
Windows Server 2019:
Windows Server 1903:
Windows Server 1909:
Windows Server 2004:
Windows Server 20H2:

Once the patch is applied, the application will be able to renew the tickets without theneed to apply any patch for Hue.


 So in short you have to ask you AD team to apply the below patch on Domain Controllers to resolve this  issue since it's a Microsoft Vulnerability.


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.