Support Questions

Find answers, ask questions, and share your expertise

Kerberos Ticket Renewer

avatar
Explorer

Until recently we had no issues with the HUE - Kerberos Ticket Renewer - now this service is stopping/starting and failing all the time.   Does anyone have any helpful links on how to troubleshoot this service?     I don't have much experience with this product in terms of troubleshooting - we are running Cloudera Express 5.12.0 

 

Any suggestions or ideas would be greatly appreciated.

1 ACCEPTED SOLUTION

avatar
Expert Contributor
We have found out that MSFT has also released a fix for the Kerberos authentication issue. To fix the Windows AD, you can engage with the AD team to apply one of the following patches that MSFT has provided to fix the Kerberos authentication issue. Please link on the appropriate link based on the flavor of the Windows Server. 

Windows Server 2012: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594438
Windows Server 2012 R2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594439Windows Server 2016: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594441
Windows Server 2019: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594442
Windows Server 1903: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443
Windows Server 1909: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443
Windows Server 2004: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440
Windows Server 20H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440

Once the patch is applied, the application will be able to renew the tickets without theneed to apply any patch for Hue.

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

View solution in original post

9 REPLIES 9

avatar
Expert Contributor

This is likely caused by a change in your AD servers.  The CVE is  CVE-2020-17049 

You'll need to file a case with Support and get a patch.

 

 

avatar
Explorer

Thanks for the reply and a direction to go in - Who do I need to do a ticket with Microsoft support or Cloudera ?   

avatar
Expert Contributor

Cloudera.

avatar
Explorer

We don't have a support contract with cloudera - do they offer any type of free support options?  We are in an academic setting.

avatar
Expert Contributor

Community support is the only free support option.

You could reach out to Cloudera to get the cluster under support or roll back the change on the AD side.

BTW, CDH 5 is reaching end of support (EOS) on Dec 31 so you'd need to upgrade to CDH 6 or CDP. 

Both of these will require a license for the most recent versions.

avatar
Expert Contributor
We have found out that MSFT has also released a fix for the Kerberos authentication issue. To fix the Windows AD, you can engage with the AD team to apply one of the following patches that MSFT has provided to fix the Kerberos authentication issue. Please link on the appropriate link based on the flavor of the Windows Server. 

Windows Server 2012: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594438
Windows Server 2012 R2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594439Windows Server 2016: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594441
Windows Server 2019: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594442
Windows Server 1903: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443
Windows Server 1909: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443
Windows Server 2004: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440
Windows Server 20H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440

Once the patch is applied, the application will be able to renew the tickets without theneed to apply any patch for Hue.

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

avatar
New Contributor

Hi Mike, 

 

Hope you are doing good.

Could you please let us know what change in AD server causes this( Any particular patch), as we are facing the same issue in our cluster. 

 

Thanks,

Nancy

avatar
Expert Contributor

This is the executive summary from the the CVE link....

A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).

To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.

The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.

avatar
Explorer

There was an additional hotfix in the KB article once I applied that to all my DCs the kerberos ticket renewer has been stable.   

 

Thank you for your feedback and pointing me in the right direction.