Support Questions

Find answers, ask questions, and share your expertise

Switch from MIT Kerberos auth to AD Auth



In our Cluster we have MIT Kerberos authentication enabled, we would like to move to AD Authentication, would appreciate if someone could share best practices / documents / how to etc, on how to move forward on this and what changes would be required in order to achieve this mission.





Rising Star



On a high level below are the steps:


Use Cloudera Manager to manage and distribute the krb5.conf that the CDH needs for requesting Kerberos tickets.

Here are the recommended steps:

  1. Shutdown the CDH services
  2. Shutdown the Cloudera Manager Management services
  3. Walkthrough the steps for configuring direct to AD integration
  4. Regenerate all the principals
  5. Distribute the new krb5.conf (which has AD realm information)
  6. Start the Cloudera Manager Management services
  7. Start the CDH Services


Also, review below docs:

Enabling Kerberos Authentication for CDH


I hope this helps.




Was your question answered? Make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.


Hi @tjangid 


Thanks for your reply, in my previous post I incorrectly mentioned that we want to move from MIT Kerberos to AD, whereas, we currently have MIT Kerberos (local) working in our cluster and we need that to be integrated with AD.

So basically I am looking to find / get some detailed steps / guides on how to get this done. I have come across some blogs regarding one-way cross-realm trust etc, and a bit confused on these.


Appreciate any help in this regard




Cloudera Employee

If you need to switch to AD based kerberos from MIT, then the following things need to happen:

  1. Get a OU designated for Cloudera Service principals to be created
  2. Then get a admin user account such as svc-cloudera@REALM that can create/delete/modify the service accounts in the OU designated for Cloudera, it needs to have full permission on that OU
  3. Now go to CM >>Administration >> Security >> Kerberos Credentials >> Configuration and edit the config to make the switch
  4. What needs to be changed/added :
    • KDC TYPE
    • Edit the Active Directory Suffix to specify the OU you created for the service accounts
    • Enable this 'Active Directory Delete Accounts on Credential Regeneration'
    • Enable this 'Active Directory Set Encryption Types'
    • Make sure that the setting 'Active Directory Password Properties' satisfies your AD password restriction
    • Kerberos Security Realm needs to be same as your domain but in UPPER CASE
    • KDC Server Host needs to have the AD host. Don't use the load balanced domain controller
  5. Then save the changes. Go back to Kerberos Credentials page and click on 'Generate Missing Credentials
  6. Make sure that the principals now match the AD REALM and also have the AD team check if the principals appear in the OU allotted for this cluster



Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.