If you need to switch to AD based kerberos from MIT, then the following things need to happen: Get a OU designated for Cloudera Service principals to be created Then get a admin user account such as svc-cloudera@REALM that can create/delete/modify the service accounts in the OU designated for Cloudera, it needs to have full permission on that OU Now go to CM >>Administration >> Security >> Kerberos Credentials >> Configuration and edit the config to make the switch What needs to be changed/added : KDC TYPE Edit the Active Directory Suffix to specify the OU you created for the service accounts Enable this 'Active Directory Delete Accounts on Credential Regeneration' Enable this 'Active Directory Set Encryption Types' Make sure that the setting 'Active Directory Password Properties' satisfies your AD password restriction Kerberos Security Realm needs to be same as your domain but in UPPER CASE KDC Server Host needs to have the AD host. Don't use the load balanced domain controller Then save the changes. Go back to Kerberos Credentials page and click on 'Generate Missing Credentials Make sure that the principals now match the AD REALM and also have the AD team check if the principals appear in the OU allotted for this cluster     ... View more

@Petch I see that you are getting this error: [09/Jul/2020 23:45:02 +0000] 10401 MainThread agent ERROR Heartbeating to util.localdomain:7182 failed. ConnectionClosedException: Reader read 0 bytes.   Usually this error is reported if the CM is looking for the agent to communicate via TLS protocol but the config.ini has this setting 'use_tls' set to 0   Check and change it to use_tls=1 Then restart the agent using the following command : service cloudera-scm-agent restart ... View more