Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Unable to login to Tableau when HS2 is enabled with AD

Unable to login to Tableau when HS2 is enabled with AD

Explorer

Hi,

I have a cluster with no security measures other than HS2 integrated with AD.

Unable to log in to Tableau after HS2 is integrated with AD.

Can anyone help me out on this?

Environment:

HS2 - 1.2.1000

HS2 is integrated with Active Directory:

hive.server2.authentication=LDAP

hive.server2.authentication.ldap.url=ldap://192.168.254.142:389

hive.server2.authentication.ldap.Domain=myproject.com

 

Error1:

2018-11-16 23:59:47,057 ERROR [HiveServer2-Handler-Pool: Thread-44]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure javax.security.sasl.SaslException: Error validating the login [Caused by javax.security.sasl.AuthenticationException: LDAP Authentication failed for user [Caused by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580^@]]] at org.apache.hive.service.auth.PlainSaslServer.evaluateResponse(PlainSaslServer.java:109) at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)

Error2:

2018-11-16 23:59:29,716 ERROR [HiveServer2-Handler-Pool: Thread-44]: server.TThreadPoolServer (TThreadPoolServer.java:run(297)) - Error occurred during processing of message. java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Invalid status -128 at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: org.apache.thrift.transport.TTransportException: Invalid status -128 at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:184) at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ... 4 more 2018-11-16 23:59:47,0

11 REPLIES 11

Re: Unable to login to Tableau when HS2 is enabled with AD

Guru
Tableau could be using ODBC driver, can you please share the ODBC configuration screenshots to see how ODBC is setup?

Please also enable TRACE logging via "Logging Options" and share the log on the driver side.

Finally please confirm the ODBC driver version, have you tried to upgrade to latest version if not yet?

Cheers

Re: Unable to login to Tableau when HS2 is enabled with AD

Explorer

Hi,

 

How to enable trace from Tableau end?

I did use supported and latest ODBC driver.

Someone else has set up ODBC and Connection to Tableau works proper with user name but not with username and password in Tableau.

 

Re: Unable to login to Tableau when HS2 is enabled with AD

Guru
Hi,

As I mentioned before, on the ODBC configuration window, there should be a button named "Logging Options", you can select TRACE log level and path on the popup window.

However, I checked the error again based on :

LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580

and https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors

It mentioned that 52e means "Returns when username is valid but password/credential is invalid"

Have you confirmed the password is correct?

Cheers

Re: Unable to login to Tableau when HS2 is enabled with AD

Explorer

Hi,

User name and password is correct.

What is wondering here is -

When HS2 is integrated with AD, beeline connectivity works fine but only tableau connectivity goes wrong.

Re: Unable to login to Tableau when HS2 is enabled with AD

Explorer

Hi,

User name and password is correct.

What is wondering here is -

When HS2 is integrated with AD, beeline connectivity works fine but only tableau connectivity goes wrong.

Also,

Trace logs are not generated from ODBC driver ( not sure why it is ! )

Here is the screenshot of driver configuration:

ODBClog.PNG

Re: Unable to login to Tableau when HS2 is enabled with AD

Guru
The log path should be a directory, not a file, please also try to create the directory first and make sure it is writable and try again. The log files will be generated when you try to connect to HS2 via ODBC again.

Cheers

Re: Unable to login to Tableau when HS2 is enabled with AD

Explorer

Thanks a lot for your patience on this and I really appreciate it from my end.

I enabled logging .

Everything seems good when HS2 is not integrated with AD.

But, when I try to connect when HS2 is integrated with AD.. then I am not able to connect.

Here is the log from Driver:

Nov 19 08:05:53.526 ERROR 6096 DSTestResultDialog::Initialize: [DriverSupport] (1110) Unexpected response received from server. Please ensure the server host and port specified for the connection are correct and confirm if SSL should be enabled for the connection.

Question: SSL is not enabled in the cluster and on the Tableau end or AD end or driver end, is it required?

Here is the log from HS2:

[root@server2 hive]# vi /var/tmp/hiveserver2withAD1.log
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.thrift.transport.TTransportException: Invalid status -128
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:184)
at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
... 4 more
2018-11-18 18:40:37,168 ERROR [HiveServer2-Handler-Pool: Thread-43]: server.TThreadPoolServer (TThreadPoolServer.java:run(297)) - Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Invalid status -128
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.thrift.transport.TTransportException: Invalid status -128
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:184)
at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
... 4 more
2018-11-18 18:40:41,032 ERROR [HiveServer2-Handler-Pool: Thread-43]: server.TThreadPoolServer (TThreadPoolServer.java:run(297)) - Error occurred during processing of message.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Invalid status -128
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.thrift.transport.TTransportException: Invalid status -128
at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:184)
at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
... 4 more

 

Here is the ODBC configuration:

ODBClog.PNG

 

Re: Unable to login to Tableau when HS2 is enabled with AD

Master Collaborator
Using AD without SSL and authorizing users in HS2 with AD passwords means that anybody with tcpdump can sniff all the passwords of your users.

Re: Unable to login to Tableau when HS2 is enabled with AD

Explorer
Agree, but right now I can't enable SSL but I need to get rid of this issue. Can you help me on this.