Support Questions
Find answers, ask questions, and share your expertise

Kerberos Spnego UserName/Password


I am trying to make kerberos work with Spnego following steps from above link , everything works except the spnego part.

the UI alway's presents login page, how can i avoid the login page ( don't want to provide username / password ) , tried this numerous times with firefox and other browsers as well.

( what i have observed is , if you login using username/password for first time , and if you clear browser cache launch nifi it will not show login page until you do kinit again , once you do kinit it will present the login screen again next time you launch nifi)

  1. docker-machine create --driver virtualbox boot2docker
  2. eval "$(docker-machine env boot2docker)"
  3. ./kdc stop
  4. ./kdc clean
  5. ./kdc build
  6. ./kdc start

./kdc test

  1. $(./kdc shellinit)
  2. kinit samar@NIFI.APACHE.ORG

open /Applications/ from the terminal

my principal in kdc.json :

  "principals": [
      "id": "samar@NIFI.APACHE.ORG",
      "password": "samar"
      "id": "HTTP/localhost@NIFI.APACHE.ORG",
      "password": "http"
  "domain": "localhost",
  "realm": "NIFI.APACHE.ORG",
  "ip": "",
  "port": 48088

FireFox Negotiate Settings

network.negotiate-auth.delegation-uris : https://localhost:9443
network.negotiate-auth.trusted-uris : https://localhost:9443 changes
nifi.kerberos.spnego.authentication.expiration=12 hours

uncomment below properties :^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$$1@$2^(.*?)/instance@(.*?)$$1@$2

login-identity-providers.xml changes

        <property name="Default Realm">NIFI.APACHE.ORG</property>
        <property name="Authentication Expiration">12 hours</property>

Authorizers.xml changes

        <property name="Authorizations File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">samar@NIFI.APACHE.ORG</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>

Am i missing something here ? let me know who to avoid providing username/password