Support Questions

esaboo · ‎12-02-2020

Until recently we had no issues with the HUE - Kerberos Ticket Renewer - now this service is stopping/starting and failing all the time. Does anyone have any helpful links on how to troubleshoot this service? I don't have much experience with this product in terms of troubleshooting - we are running Cloudera Express 5.12.0

Any suggestions or ideas would be greatly appreciated.

Mike in Austin · ‎12-04-2020

We have found out that MSFT has also released a fix for the Kerberos authentication issue. To fix the Windows AD, you can engage with the AD team to apply one of the following patches that MSFT has provided to fix the Kerberos authentication issue. Please link on the appropriate link based on the flavor of the Windows Server. 

Windows Server 2012: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594438 
Windows Server 2012 R2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594439Windows Server 2016: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594441 
Windows Server 2019: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594442 
Windows Server 1903: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443 
Windows Server 1909: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443 
Windows Server 2004: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440 
Windows Server 20H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440 

Once the patch is applied, the application will be able to renew the tickets without theneed to apply any patch for Hue. 

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

View solution in original post

Mike in Austin · ‎12-02-2020

This is likely caused by a change in your AD servers. The CVE is CVE-2020-17049

You'll need to file a case with Support and get a patch.

esaboo · ‎12-02-2020

Thanks for the reply and a direction to go in - Who do I need to do a ticket with Microsoft support or Cloudera ?

Mike in Austin · ‎12-02-2020

Cloudera.

esaboo · ‎12-02-2020

We don't have a support contract with cloudera - do they offer any type of free support options? We are in an academic setting.

Mike in Austin · ‎12-02-2020

Community support is the only free support option.

You could reach out to Cloudera to get the cluster under support or roll back the change on the AD side.

BTW, CDH 5 is reaching end of support (EOS) on Dec 31 so you'd need to upgrade to CDH 6 or CDP.

Both of these will require a license for the most recent versions.

Mike in Austin · ‎12-04-2020

We have found out that MSFT has also released a fix for the Kerberos authentication issue. To fix the Windows AD, you can engage with the AD team to apply one of the following patches that MSFT has provided to fix the Kerberos authentication issue. Please link on the appropriate link based on the flavor of the Windows Server. 

Windows Server 2012: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594438 
Windows Server 2012 R2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594439Windows Server 2016: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594441 
Windows Server 2019: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594442 
Windows Server 1903: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443 
Windows Server 1909: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443 
Windows Server 2004: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440 
Windows Server 20H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440 

Once the patch is applied, the application will be able to renew the tickets without theneed to apply any patch for Hue. 

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

NancyMar · ‎12-08-2020

Hi Mike,

Hope you are doing good.

Could you please let us know what change in AD server causes this( Any particular patch), as we are facing the same issue in our cluster.

Thanks,

Nancy

Mike in Austin · ‎12-09-2020

This is the executive summary from the the CVE link....

A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).

To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.

The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.

esaboo · ‎12-09-2020

There was an additional hotfix in the KB article once I applied that to all my DCs the kerberos ticket renewer has been stable.

Thank you for your feedback and pointing me in the right direction.