Created on 02-23-2017 10:31 AM - edited 09-16-2022 04:08 AM
First things first:
This is what is works:
Ambari 2.4.2 with HDP 2.53 Cluster -> Kerberized
HTTP Authentication -> Enabled
And now the stuff which differs:
My Windows 7 Company workstation is logged to the company active directory domain, so is using
a proper DNS and inside DNS are proper SRV Records which points to the Company AD (Kerberos)
When i install the WIndows MIT Kerberos Client 4.01: The software work ootb, accepts my configuration (krb5.conf/ini) and lets me login the the Ambari Dashboard without the classic HTTP 401 or 403 Errors.
When i try to install the SAME MIT Kerberos Client Software on my private Winsdows 8.1 Workstation which has NO
DNS but uses to local c:\windows\system32\drivers\etc\hosts file to point to my KDC/Kadmin Server, it fail instantly at startup while not finding my KDC. The sams Software MIT 3.22 works flawlessly when getting a Ticket from my KDC.
The Firefox Network.x setting are identically between my Company Notebook and my private Notebook.
On my private machine i checked: MIT Windows Client (3.22) in 32Bit and 64Bit
and checked Heimdal 32Bit and 64Bit. With Heimdall i can get my Tickets but under NO circumstances i am able to
overecome the HTTP 401 Error.
This is my question, when tryting to get to the HDFS 50070 Port
Host: myserver.mynet:50070 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/css,*/*;q=0.1 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://myserver.mynet:50070/dfshealth.html DNT: 1 Connection: keep-alive If-Modified-Since: Tue, 29 Nov 2016 18:21:21 GMT Cache-Control: max-age=0
This is the answer:
Cache-Control: must-revalidate,no-cache,no-store Content-Length: 1437 Content-Type: text/html; charset=iso-8859-1 Server: Jetty(6.1.26.hwx) Set-Cookie: hadoop.auth=; Path=/; Domain=.MYNET; HttpOnly WWW-Authenticate: Negotiate X-Frame-Options: SAMEORIGIN
Where the company Notebook is instantly doing an HTTP 304 with an additional:
Authorization: Negotiate YIIFoQYGKwYBBQUCoIIFlTCCBZGgJzAlBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBA.....
My Workstation/Non-Domain private machine sticks at 401 Authorization error and soes not negotiate anything at all.
Can someone explain this weird topic to me?
It must have something to do with the domain membership of my company machine. Unfort. i have no clue what precisely happends under the hood between the WIndows Cache, Windows Secure Cache (LSA/MSLSA) and the used Kerberos Client. Also the MIT Kerberos 4.01 clioent gives you no options at all to configure this client properly.
Its like, the kerberos Software is actually creating a Ticket, Firefox is configured to pick one, but the SPNEGO Authen. is not performed.
Thanks for any inisghts
Hi Norman -- I remember working through a similar issue a while back. Here's what I remember, and hopefully it'll get you closer:
After installation of the MIT Kerberos client, there's a krb5.ini file under c:\program data\MIT\Kerberos5. The "Program Data" directory is hidden, so you'll need to unhide it, or manually type it to find the files. You'll need to edit this INI file to add your REALM info for the MIT KDC.
There were also some changes needed to the browser to pick up on MIT Kerberos client, plus to allow access to the URIs you are trying to reach. Here's a link to some of the details for Firefox:
You can probably find similar info on other browsers by searching on SPNEGO + Kerberos + browser name
Hope this helps -- Eddie
Thansk for the information. I testse every possible solution regarding the link you've mentioned but i did'nt checked that hidden directory issue on windows.... I will try that one out.