@ateka_18 The downtime is better choice because KTS interacts with CDH cluster and failure/Down of KTS will hamper the CDH services hence the job.  ... View more

Hello there, The below property would be required if you would like to set RPC encryption[1]: hadoop.rpc.protection = privacy authentication : authentication only (default); integrity : integrity check in addition to authentication; privacy : data encryption in addition to integrity   RPC encryption [2]:The most common way for a client to interact with a Hadoop cluster is through RPC.  A client connects to a NameNode (NN) over RPC protocol to read or write a file. RPC connections in Hadoop use Java’s Simple Authentication & Security Layer (SASL) which supports encryption. When hadoop.rpc.protection property is set to 'privacy' the data over RPC is encrypted with symmetric keys.    Ref: [1] https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.5/configuring-wire-encryption/content/enabling_rpc_encryption.html  Kindly check the below Additional references for Wire Encryption and RPC Encryption blog post with detailed explanation[3]: Ref: [2] https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.5/configuring-wire-encryption/content/wire_encryption.html  Ref: [3] https://blog.cloudera.com/wire-encryption-hadoop/  Ref: [4] Apache Jir Ref: Hadoop in Secure Mode: https://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-common/SecureMode.html    Hope this helps! Let me know if you have any queries. ... View more

@ateka_18 Here is the Cause and Solution of this issue.    Cause:  Microsoft recently rolled out an Active Directory update for CVE-2020-17049 [1]. This update indicates: 'When the registry key is set to 1, patched domain controllers will issue service tickets and Ticket-Granting Tickets (TGT)s that are not renewable and will refuse to renew existing service tickets and TGTs. Windows clients are not impacted by this since they never renew service tickets or TGTs. Third-party Kerberos clients may fail to renew service tickets or TGTs acquired from unpatched DCs. If all DCs are patched with the registry settings to 1, third-party clients will no longer receive renewable tickets. Now the Solution is:   We have found out that MSFT has also released a fix for the Kerberos authentication issue. To fix the Windows AD, you can engage with the AD team to apply one of the following patches that MSFT has provided to fix the Kerberos authentication issue. Please link on the appropriate link based on the flavor of the Windows Server. Windows Server 2012: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594438 Windows Server 2012 R2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594439Windows Server 2016: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594441 Windows Server 2019: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594442 Windows Server 1903: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443 Windows Server 1909: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594443 Windows Server 2004: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440 Windows Server 20H2: https://www.catalog.update.microsoft.com/Search.aspx?q=KB4594440 Once the patch is applied, the application will be able to renew the tickets without theneed to apply any patch for Hue. [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049  So in short you have to ask you AD team to apply the below patch on Domain Controllers to resolve this  issue since it's a Microsoft Vulnerability.  https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049   ... View more

Thanks a lot @tusharkathpal  for your detailed explanation. Your suggestion has really worked. ... View more