Support Questions

Find answers, ask questions, and share your expertise

KNOX SSO ambari login redirect Issue

avatar
Contributor

I have installed ambari-server and knox in two different server and done all necessary setups for ldaps and sso.but when i log in to ambari, it is sucessfully getting redirected to knox gateway and after i give credentials it goes to ambari ui and then coming back to knox gateway log in screen.

In ambari-server.log i dont see any error and on gateway.log i am only seeing below infos:

  1. 2017-08-10 12:35:43,460 INFO hadoop.gateway (KnoxLdapRealm.java:getUserDn(691)) - Computed userDn: uid=xx,ou=People,dc=xx,dc=com using dnTemplate for principal: satya 2017-08-10 12:35:43,466 WARN service.knoxsso (WebSSOResource.java:init(102)) - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure. 2017-08-10 12:35:43,466 INFO service.knoxsso (WebSSOResource.java:init(109)) - The cookie max age is being set to: session. 2017-08-10 12:35:43,466 WARN service.knoxsso (WebSSOResource.java:init(113)) - The SSO cookie max age configuration is invalid: session - using default. 2017-08-10 12:35:43,467 INFO service.knoxsso (WebSSOResource.java:getCookieValue(318)) - Unable to find cookie with name: original-url 2017-08-10 12:35:43,470 INFO service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(292)) - JWT cookie successfully added. 2017-08-10 12:35:43,470 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(202)) - About to redirect to original URL: http://xxxxx:9081/

Appreciate any help to resolve this.

16 REPLIES 16

avatar
New Contributor

Have you ever seen "Invalid JWT token" in ambari audit log? I get it when knox comes back to ambari after authenticating with something different than LDAP. Deleting the cookies does not work, and I think this is the base of my problem.

Somehow ambari does not like the generated token.

avatar
Contributor

@Rafael Leon, I am also facing same issue? Have you resolved this? Could you please suggest.

avatar
Explorer

Any conclusion? I tried everything mentioned in this thread and nothing works.

avatar
Contributor

I have faced similar issue. When I try to logon to KnoxSSO, it is authenticated correctly and redirected to SSO logon page. After few hours investigation, I have realised that I need to setup ldap configs for my Advanced topology in Knox too. Not just KnoxSSO. I made below changes and I am able to resolve the issue.

 

Under Advanced Topology

<param>
    <name>main.ldapRealm.userDnTemplate</name>
    <value>uid={0},cn=users,cn=accounts,dc=us-west-1,dc=compute,dc=internal</value>
</param>
<param>
    <name>main.ldapRealm.contextFactory.url</name>
    <value>ldap://xxxxxxxxxxx.us-west-1.compute.internal:389</value>
</param>

 

Under Advanced knoxsso-topology

 

 <param>
    <name>main.ldapRealm.userDnTemplate</name>
    <value>uid={0},cn=users,cn=accounts,dc=us-west-1,dc=compute,dc=internal</value>
</param>
<param>
    <name>main.ldapRealm.contextFactory.url</name>
    <value>ldap://xxxxxxxxxxx.us-west-1.compute.internal:389</value>
</param>

<param>
   <name>knoxsso.redirect.whitelist.regex</name>
    <value>.*</value>
</param>

And I have ensured the Ambari LDAP setup has the same basedn 

 

 

avatar
Cloudera Employee

@chouston @andrew chen

I had a same problem in Ranger UI with Knox SSO, I did following

1.Changed Ranger external url from http://<xxxx>.<xxx>:6080 to http://<xxxx>.<xxx>.<xx>:6080

2.Changed SSO provider url from https://<xxxx>.<xxx>:8443/gateway/knoxsso/api/v1/websso to https://<xxxx>.<xxx>.<xx>:8443/gateway/knoxsso/api/v1/websso

3. set knoxsso.cookie.secure.only=false in Knoxsso topology.

4. changed knoxsso.redirect.whitelist.regex property in knoxsso topology to support new host.

I am able to open ranger UI after above changes :).

avatar
Contributor

Check whether the time is in sync between knox server and ambari server. Check whether ntp service is running in both the machines

avatar

@soumya swain

I have created article for Ambari SSO - you can review and check that to see if that helps. https://community.hortonworks.com/articles/212005/steps-to-enable-knox-sso-for-ambari-1.html