I have a good old problem with accessing kerberized web http url from my browser, bumping into an error:
HTTP Status 403 - GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
My environment is a lab, so I have a non-domain computer (not joined to the Active Directory), I have Kerberos KDC running in one linux server, and then several linux servers running Hadoop. The cluster is kerberized, inside the cluster everything works with tickets (hdfs, impala-shell) but from outside I cant access the secured Solr site (and also I assume other sites, as namenode, resource manager web ui, it those would be secured as well).
I tried to google around this problem, read all posts here about spnego, tried everything so far:
1. adding the server running of the Solr into the trusted zones.
2. Downloaded Kerberos client for Windows, and sucessfully acquired a ticket
3. Under Run as Admin cmd: ksetup /addkdc MYREALM.LOCAL <kdchostip>
ksetup /addhosttorealmmap <solrhost> MYREALM.LOCAL
4. Tried Chrome, IE, FireFox
But nothing helped. I guess the error is obvious, because the browser don't know WHERE to contact the hadoop KDC server, even if I did the ksetup, it didnt helped.
Running curl from any of the hadoop nodes:
1. kinit hdpuser
2. curl --negotiate -u : http://192.168.20.41:8983/solr/
works fine so the problem is around my browser, my OS or DNS or I dont know.