Support Questions

Find answers, ask questions, and share your expertise

Knox SSO - Shiro unable to login

avatar
New Contributor

I am trying to configure Knox 0.12 on HDP 2.6.1 for Active Directory authentication, based on Hortonworks documentation and community forum reference https://community.hortonworks.com/articles/114601/how-to-configure-and-troubleshoot-a-knox-topology....

Issue#1

On advance admin topology, configured necessary parameters based on above document and when i execute curl statement, getting "HTTP/1.1 403 Forbidden" error. When i checked the gateway.log, Computed userDn and Computed roles/groups are proper and matches with my LDAP setup. But then it is errors out and couldn't find where it fails.

Issue#2

On KnoxSSO topology, i am using userDnTemplate where sAMAccountName is referred (sAMAccountName={0},ou=Accounts,...)

This fails with error

2018-05-25 10:09:30,022 INFO hadoop.gateway (KnoxLdapRealm.java:doGetAuthenticationInfo(203)) - Could not login: org.apache.shiro.authc.UsernamePasswordToken - <sAMAccountName>

2018-05-25 10:09:30,023 ERROR hadoop.gateway (KnoxLdapRealm.java:doGetAuthenticationInfo(205)) - Shiro unable to login: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580]

Appreciate the community help for the steps to fix the issue

2 REPLIES 2

avatar
Explorer

I am having the same error. Any help will be appreciated.

avatar
Rising Star

it might be too late but I'll give a shoot 

in "userDnTemplate where sAMAccountName is referred (sAMAccountName={0},ou=Accounts,...)" 

if you on AD check if your users DN start with "CN" not sAMAccount, as sAMAccount is just the login name.