Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.


Expert Contributor

goal is to get authenticate oozie/nn/rm etc in browser

currently i'm getting below error


Problem accessing /solr/. Reason:

    GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

Super Mentor

@Raja Sekhar Chintalapati

Have you done the following?

Open the Firefox "about:config" and then search for the following two properties and set the values to the hostname/domain that are secured:,,

Here you need to define the hostname/domain that you are using.

Now get the keytab on your local machine (laptop) where browser is running and then do the kinit. Then refresh the browser. Example:

kinit  -t /PATH/TO/yarn.service.keytab yarn/


Expert Contributor

@Jay SenSharma i got 5 node HDP cluster along with win2k8 AD.

I'm using browser on my windows 10 machine. i do not have any krb5.conf configured on my windows 10.

Super Mentor

@Raja Sekhar Chintalapati

As you are getting the Keytab file from your cluster to your Windiws2k8 machine, In the same way you can get the krb5.conf file as well on your windows machine and then do a kinit.

Expert Contributor

@Jay SenSharma i got MIT kDC on linux host where SPN's were created by ambari.

users will get their ticket from AD. I've setup one way trust between AD & MIT KDC.

i followed below link even this didnot help

You also must set in Firefox about:config network.auth.use-sspi = false to enable Kerberos. But most likely it still won't work because Windows doesn't know that your Oozie server etc. belong to another realm. Therefore install MIT Kerberos client for Windows, details how to install here, then copy krb5.conf from your cluster to "C:\Program Files\MIT\Kerberos\krb5.ini". Then, unlike in that article, change krb5.ini and set your default realm to your AD realm, and in the domain_realm section list all cluster master node FQDN's and set their realm to your HDP realm. After that restart your PC, and try to access Oozie Web UI. In the Kerberos Ticket Manager you can see which principals have been contacted, and that your cluster masters are in the right domain.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.