Support Questions

Find answers, ask questions, and share your expertise

What is the difference between a Windows Domain based Kerberos and Workstation based Kerberos with Ambari?


First things first:

This is what is works:

Ambari 2.4.2 with HDP 2.53 Cluster -> Kerberized

HTTP Authentication -> Enabled

And now the stuff which differs:

My Windows 7 Company workstation is logged to the company active directory domain, so is using

a proper DNS and inside DNS are proper SRV Records which points to the Company AD (Kerberos)

When i install the WIndows MIT Kerberos Client 4.01: The software work ootb, accepts my configuration (krb5.conf/ini) and lets me login the the Ambari Dashboard without the classic HTTP 401 or 403 Errors.

When i try to install the SAME MIT Kerberos Client Software on my private Winsdows 8.1 Workstation which has NO

DNS but uses to local c:\windows\system32\drivers\etc\hosts file to point to my KDC/Kadmin Server, it fail instantly at startup while not finding my KDC. The sams Software MIT 3.22 works flawlessly when getting a Ticket from my KDC.

The Firefox Network.x setting are identically between my Company Notebook and my private Notebook.

On my private machine i checked: MIT Windows Client (3.22) in 32Bit and 64Bit

and checked Heimdal 32Bit and 64Bit. With Heimdall i can get my Tickets but under NO circumstances i am able to

overecome the HTTP 401 Error.

This is my question, when tryting to get to the HDFS 50070 Port

Host: myserver.mynet:50070 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/css,*/*;q=0.1 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://myserver.mynet:50070/dfshealth.html DNT: 1 Connection: keep-alive If-Modified-Since: Tue, 29 Nov 2016 18:21:21 GMT Cache-Control: max-age=0

This is the answer:

Cache-Control: must-revalidate,no-cache,no-store Content-Length: 1437 Content-Type: text/html; charset=iso-8859-1 Server: Jetty(6.1.26.hwx) Set-Cookie: hadoop.auth=; Path=/; Domain=.MYNET; HttpOnly WWW-Authenticate: Negotiate X-Frame-Options: SAMEORIGIN

Where the company Notebook is instantly doing an HTTP 304 with an additional:

Authorization: Negotiate YIIFoQYGKwYBBQUCoIIFlTCCBZGgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBA.....

My Workstation/Non-Domain private machine sticks at 401 Authorization error and soes not negotiate anything at all.

Can someone explain this weird topic to me?

It must have something to do with the domain membership of my company machine. Unfort. i have no clue what precisely happends under the hood between the WIndows Cache, Windows Secure Cache (LSA/MSLSA) and the used Kerberos Client. Also the MIT Kerberos 4.01 clioent gives you no options at all to configure this client properly.

Its like, the kerberos Software is actually creating a Ticket, Firefox is configured to pick one, but the SPNEGO Authen. is not performed.

Thanks for any inisghts

Best Regards,




Hi Norman -- I remember working through a similar issue a while back. Here's what I remember, and hopefully it'll get you closer:

After installation of the MIT Kerberos client, there's a krb5.ini file under c:\program data\MIT\Kerberos5. The "Program Data" directory is hidden, so you'll need to unhide it, or manually type it to find the files. You'll need to edit this INI file to add your REALM info for the MIT KDC.

There were also some changes needed to the browser to pick up on MIT Kerberos client, plus to allow access to the URIs you are trying to reach. Here's a link to some of the details for Firefox:

You can probably find similar info on other browsers by searching on SPNEGO + Kerberos + browser name

Hope this helps -- Eddie


Hi eddie,

Thansk for the information. I testse every possible solution regarding the link you've mentioned but i did'nt checked that hidden directory issue on windows.... I will try that one out.



Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.