Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

KNOX SSO ambari login redirect Issue

avatar
author-rank soumya_swain2
Contributor

Created ‎08-10-2017 08:56 AM

I have installed ambari-server and knox in two different server and done all necessary setups for ldaps and sso.but when i log in to ambari, it is sucessfully getting redirected to knox gateway and after i give credentials it goes to ambari ui and then coming back to knox gateway log in screen.

In ambari-server.log i dont see any error and on gateway.log i am only seeing below infos:

  1. 2017-08-10 12:35:43,460 INFO hadoop.gateway (KnoxLdapRealm.java:getUserDn(691)) - Computed userDn: uid=xx,ou=People,dc=xx,dc=com using dnTemplate for principal: satya 2017-08-10 12:35:43,466 WARN service.knoxsso (WebSSOResource.java:init(102)) - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure. 2017-08-10 12:35:43,466 INFO service.knoxsso (WebSSOResource.java:init(109)) - The cookie max age is being set to: session. 2017-08-10 12:35:43,466 WARN service.knoxsso (WebSSOResource.java:init(113)) - The SSO cookie max age configuration is invalid: session - using default. 2017-08-10 12:35:43,467 INFO service.knoxsso (WebSSOResource.java:getCookieValue(318)) - Unable to find cookie with name: original-url 2017-08-10 12:35:43,470 INFO service.knoxsso (WebSSOResource.java:addJWTHadoopCookie(292)) - JWT cookie successfully added. 2017-08-10 12:35:43,470 INFO service.knoxsso (WebSSOResource.java:getAuthenticationToken(202)) - About to redirect to original URL: http://xxxxx:9081/

Appreciate any help to resolve this.

13,164 Views
0 Kudos
16 REPLIES 16

avatar
author-rank rafael_leon
New Contributor

Created ‎01-24-2018 01:26 PM

Have you ever seen "Invalid JWT token" in ambari audit log? I get it when knox comes back to ambari after authenticating with something different than LDAP. Deleting the cookies does not work, and I think this is the base of my problem.

Somehow ambari does not like the generated token.

5,583 Views
0 Kudos

avatar
author-rank bkandalkar
Contributor

Created ‎03-14-2019 12:32 PM

@Rafael Leon, I am also facing same issue? Have you resolved this? Could you please suggest.

5,583 Views
0 Kudos

avatar
author-rank ychenma
Explorer

Created ‎04-26-2018 07:58 PM

Any conclusion? I tried everything mentioned in this thread and nothing works.

5,583 Views
0 Kudos

avatar
author-rank mcapavan author-rank
Contributor

Created ‎10-26-2019 04:07 AM

I have faced similar issue. When I try to logon to KnoxSSO, it is authenticated correctly and redirected to SSO logon page. After few hours investigation, I have realised that I need to setup ldap configs for my Advanced topology in Knox too. Not just KnoxSSO. I made below changes and I am able to resolve the issue.

 

Under Advanced Topology

<param>
    <name>main.ldapRealm.userDnTemplate</name>
    <value>uid={0},cn=users,cn=accounts,dc=us-west-1,dc=compute,dc=internal</value>
</param>
<param>
    <name>main.ldapRealm.contextFactory.url</name>
    <value>ldap://xxxxxxxxxxx.us-west-1.compute.internal:389</value>
</param>

 

Under Advanced knoxsso-topology

 

 <param>
    <name>main.ldapRealm.userDnTemplate</name>
    <value>uid={0},cn=users,cn=accounts,dc=us-west-1,dc=compute,dc=internal</value>
</param>
<param>
    <name>main.ldapRealm.contextFactory.url</name>
    <value>ldap://xxxxxxxxxxx.us-west-1.compute.internal:389</value>
</param>

<param>
   <name>knoxsso.redirect.whitelist.regex</name>
    <value>.*</value>
</param>

And I have ensured the Ambari LDAP setup has the same basedn 

 

 

5,461 Views
0 Kudos

avatar
Vipul author-rank
Cloudera Employee

Created ‎08-04-2018 04:35 PM

@chouston @andrew chen

I had a same problem in Ranger UI with Knox SSO, I did following

1.Changed Ranger external url from http://<xxxx>.<xxx>:6080 to http://<xxxx>.<xxx>.<xx>:6080

2.Changed SSO provider url from https://<xxxx>.<xxx>:8443/gateway/knoxsso/api/v1/websso to https://<xxxx>.<xxx>.<xx>:8443/gateway/knoxsso/api/v1/websso

3. set knoxsso.cookie.secure.only=false in Knoxsso topology.

4. changed knoxsso.redirect.whitelist.regex property in knoxsso topology to support new host.

I am able to open ranger UI after above changes :).

5,583 Views
0 Kudos

avatar
author-rank mdh_raghavendra
Contributor

Created ‎08-06-2018 09:11 AM

Check whether the time is in sync between knox server and ambari server. Check whether ntp service is running in both the machines

5,583 Views
0 Kudos

avatar
author-rank apappu author-rank
Guru

Created ‎08-09-2018 09:05 PM

@soumya swain

I have created article for Ambari SSO - you can review and check that to see if that helps. https://community.hortonworks.com/articles/212005/steps-to-enable-knox-sso-for-ambari-1.html

5,583 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements