Hello @tableau,
If pre-authentication is failing despite using the correct credentials, it’s possible that the issue is due to a mismatch in the letter-case of the username. Specifically, the username provided may not match the userPrincipalAttribute value (typically userPrincipalName) in Active Directory.
When AES encryption types are used, Active Directory derives the key salt by concatenating the realm name with the username, and this process is case-sensitive. Therefore, any mismatch in letter-case can lead to authentication failure.
To verify the correct casing of the userPrincipalAttribute for the KDC admin user, you can run the following ldapsearch command:
ldapsearch -v -H ldaps://{LDAP_URL}:636 -D 'xx@TEST.LAN' -W -b '{SEARCHBASE}' userPrincipalName="xx@TEST.LAN" Once confirmed, use the exact same letter-case when importing the KDC account manager credentials under:
Administration → Security → Kerberos Credentials → Import KDC Account Manager Credentials
Additionally, if the old KDC details still appear during the 'Generate Missing Credentials' operation, please ensure the new KDC is correctly configured under:
Administration → Security → Kerberos Credentials → Setup KDC for this Cloudera Manager
Let me know if any further clarification is needed.
