What is kerberos?
Here you find some help links; I want to know how it actually works? Very good introduction that is also very short - http://www.youtube.com/watch?v=kp5d8Yv3-0c Conversation explaining Kerberos , how it is built - http://web.mit.edu/kerberos/www/dialogue.html How to use it for hadoop on windows. http://doc.mapr.com/display/MapR/Configuring+Kerberos+Authentication+for+Windows https://fermi.service-now.com/kb_view.do?sysparm_article=KB0011316 How to configure it for windows....
secure hbase application - kerberos authentication
security,hbase,kerberos,keytab
This is as per design. When session expires it will try to relogin. This functionality enables HBase client's to stay up for eternity when they are used in Application Servers.
Secure Hadoop - Datanode cannot connect with namenode
I just changed the default supergroup name to newly created group which has members of all hadoop users. Now all user in that group act as superuser hence it works fine. <property> <name>dfs.permissions.superusergroup</name> <value>Hadoopgroup</value> </property> Refer superuser...
GSSException createCredential
Just an update. I have this working now - my previous code was largely ok - it was just my understanding of how the Kerberos token would be added to the JAX-WS request. Turns out it's just a matter of attaching a Handler to the bindingProvider. The handler then obtains...
Extracting Kerberos Ticket from WCF method OperationContext
wcf,kerberos,extraction,ticket
foreach(var header in HttpContext.Current.Request.Headers) { string headerVal = HttpContext.Current.Request.Headers[header]; if(headerVal.StartsWith("Negotiate")) { string parts[] = headerValStr.Split(' '); string kerberosStr = parts[1]; //if a header token begins with "YII" its kerberos //otherwise its likely NTLM (or other) if(kerberosStr.StartsWith("YII")) { retVal = Convert.FromBase64String(kerberosStr); break; } } } ...
Kerberos term definitions
To make the terms understandable, we can compare the actual technical term with a domain Example domain: Driving License Realm: Authentication administrative domain Each realm has its own Kerberos database which contains the users and services for that particular administrative domain. Example: TamilNadu has separate administration. Rather AndraPradesh is a...
openldap + kerberos - unable to reach any KDC in realm
ldap,docker,kerberos,openldap,kdc
You need multiple things to get a containerized KDC being reachable from the outside. Lets assume you are using port 88 as that is the default and lets also assume your image was called docker-kdc. Make sure your port 88 is exposed. EXPOSE 88 Make sure your KDC daemon listens...
Hadoop-2.6.0 Authorization not working for MR jobs
security,hadoop,authorization,kerberos
I found the answer in the cloudera Documentation here It seems that the property security.job.client.protocol.acl is for MR1 and for MR2 we can use security.applicationclient.protocol.acl. ...
Hue Beeswax / HCat no longer working (kerberos default user) after migration to HDP2.2
hive,kerberos,hortonworks-data-platform,hue
Okay, found it (had to debug the full python stack to understand). It's not really advertised, but some hue.ini parameter names have changed: beeswax_server_host --> hive_server_host beeswax_server_port --> hive_server_port It was defaulting hive_server_host to localhost, which is not correct on a secure cluster....
Are kerberos tickets modifiable as part of an HTTP request payload?
You have a basic misunderstanding of kerberos tickets. They cannot be modified at any point. They are encrypted in the server's key, any changes you make will invalidate the ticket. If you are asking when to present the ticket as part of the http exchange, then you need to specify...
Log out from SSO kerberos
My solution is to close my application by: [NSApp terminate:self]; A better solution will be to relaunch the app but this is enough for me right now....
WCF with Kerberos Authentication: The request for security token could not be satisfied because authentication failed
c#,web-services,wcf,authentication,kerberos
Ok, you need to add another SPN for the end service as well: HTTP/SERVER2.int.mydomain.com MYDOMAIN\MY-HOST_ACCOUNT) HTTP/SERVER2 MYDOMAIN\MY-HOST_ACCOUNT) It is best to specify both FQDN and Netbios name. Ensure that you don't have duplicate SPN's otherwise Kerberos authentication wont work. Add the SPN's as delegation targets to the domain account (this...
Using powershell SeImpersonatePrivilege granting to managed service account
kerberos,impersonation,service-accounts
"Impersonate a client after authentication" in the Local Security Policy under Local Policies -> User Rights Assignment also NTRights with "SeImpersonatePrivilege" ntrights.exe +r SeImpersonatePrivilege -u domain\managedserviceaccount$...
How to programatically verify Windows User via a network connection
windows,authentication,dns,kerberos,credentials
The magic answer I was looking for back then was SSPI (Kerberos). A similar solution exists with OpenSSL. For others looking for this you will also be interested in SSL, TLS (the new SSL), and SASL (a mechanism for deciding on the fly which identification algorithm to use) and it's...
Kerberos on Squid Server and Active Directory
active-directory,kerberos,squid
After a long research. I found 2 points of failure for getting this error. On the host file, the realm was specified but kerberos was not about to resolve it. Adding another value (dc1.myexchange.com) of the realm (myexchange.com) seem to enable the connection between the AD and Squid Server (where...
Oozie invalid user in secure mode
I just found the answer in Oozie Authentication Once authentication is performed successfully the received authentication token is cached in the user home directory in the .oozie-auth-token file with owner-only permissions. Subsequent requests reuse the cached token while valid. This is the reason for using invalid user even getting the...
HDFS datanode not starting with kerberos
It seems the JSVC package is not available for Windows. After taking a long time, I figured out a solution for this problem. Instead of using JSVC we can use SASL. Hadoop-2.6.0 supports SASL for authenticating the data transfer protocol. Refer to the documentation: Secure Datanode. To quote that link:...
Create data source in Report Builder 3.0 to a data cube using “current windows user” credentials
ssas,datasource,kerberos,reportbuilder3.0
So it turns out that it was a Kerberos issue as I suspected, and I was also correct that Report Builder was testing the connection using some process running under another authentication context. It turns out that when setting up Report Builder (and I had forgotten it) that you specify...
Programmatic Impersonation Delegation For Remote Resources (Double-Hop)
web-services,c#-4.0,kerberos,impersonation,kerberos-delegation
The code mentioned in the question works!! There was some problem with delegation, that needed to be fixed. Thanks...
Reading kerberos service ticket in Java
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7-b147/sun/security/krb5/internal/tools/Klist.java Most of the standard kerberos utilities have java versions somewhere inside the jdk. ...
Installing requests-kerberos on Windows
The commands module was deprecated in python 2.6. Thus, the issue appears to be a problem with your pip installation, and not with requests-kerberos. There are a few things you can try, but I would focus on ensuring pip is working correctly. While you could install the package manually, you...
How does WCF work with Kerberos?
c#,.net,wcf,active-directory,kerberos
By following Erik Funkenbusch recomendation I got the communication to be secured. This is what I hade to change <security mode="Transport"> <transport protectionLevel="EncryptAndSign" clientCredentialType="Windows"></transport> </security> ...
How do I create a .keytab from Active Directory for Tomcat on Linux?
linux,windows,tomcat7,kerberos,spring-security-kerberos
In theory, you can map any machine in an DNS domain to any kerberos realm by getting every machine involved to use the same krb5.conf file. However, in practice the machine with DNS name web.foo.com is in the realm FOO.COM. To find the KDC for a realm, you can generally...
How to implement Single Sign-On on iOS
ios,objective-c,single-sign-on,kerberos
Apparently iOS 8 includes a certificate-support that allows the use of certificate-based single sign-on for users to authenticate to enterprise apps. Accounts Framework The Accounts framework (Accounts.framework) provides a single sign-on model for certain user accounts. Single sign-on improves the user experience by eliminating the need to prompt the user...
SSO setup using Kerberos on windows server
active-directory,single-sign-on,windows-authentication,kerberos,ntlm
If you use service account in AD then I would expect not big changes: DNS record for this service Moving keytab to the new server If machine account is in use then you would need: Reconfigure DNS Remove SPN from the current machine account Generate keytab for a new machine...
How can I set a transparent kerberos authentification for Tomcat?
java,tomcat,authentication,kerberos
Step by step from "Web application" section: Step 1: $CATALINA_HOME/<app-base>/<app-name>/META-INF/context.xml <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator" /> Step 2: $CATALINA_HOME/<app-base>/<app-name>/WEB-INF/web.xml <security-constraint> <display-name>All users</display-name> <web-resource-collection> <web-resource-name>All requests</web-resource-name> <url-pattern>/*</url-pattern>...
Why Pass-the-Hash attacks still work?
windows,security,authentication,kerberos,ntlm
The short is that yes it is possible to initiate NTLM auth. For MS, it is not possible to fix it completely because that would break the backward compatibility. You can read more about it on this thread http://www.reddit.com/r/netsec/comments/1ypdo1/sorry_microsoft_pass_the_hash_on_windows_81_still/...
Kerberos with websphere NPE
The reason i was getting the NPE is that by default websphere uses the wsjaas.conf file. You can change this by editing a system launch properties file /AppServer/properties/systemlaunch/base/.systemlaunch.properties. There you have configured the java.security.auth.login.config In the default wsjaas.conf there was a missing entry ("spnego-client") that the spnego API expects....
Kerberos spring javax.security.auth.login.LoginException: Unable to obtain password from user
java,spring,spring-security,kerberos,spring-security-kerberos
Thank you for responding. I have resolved the issue, problem was my keytab. My keytab file was not containing SPN which I was looking for. It was generated with wrong SPN. I tried with some dummy SPNs and found that I was getting same exception then asked team to validate...
Kerberos installation error, error: Setup script exited with error: command 'i686-linux-gnu-gcc' failed with exit status 1
python,ubuntu,virtualbox,kerberos
Based on the output here: i686-linux-gnu-gcc: error: sh:: No such file or directory i686-linux-gnu-gcc: error: 1:: No such file or directory i686-linux-gnu-gcc: error: krb5-config:: No such file or directory i686-linux-gnu-gcc: error: not: No such file or directory i686-linux-gnu-gcc: error: found: No such file or directory it looks like you're missing...
Whether to use an SPN with a Kerberos loginmodule in JAAS
active-directory,kerberos,jaas,jconsole,spn
If you are asking user for the username and password on the console than you need neither keytab nor SPN. All you need is a plugin for JAAS that will ask for the password. The Kerberos session will be initiated JAAS login module and you will have TGT inside of...
Malformed PAC logon info on new KerberosToken
I've figured this one out myself. It turns out that the message "Malformed PAC logon info" is actually correct. The code failed when it was trying to get the "Resource groups data". Initially I thought that the PAC_LOGON_INFO structure has changed since the last jaaslounge implementation was written (somewhere in...
SPNEGO/Kerberos in IIS with foreign domain keytab
iis,windows-authentication,kerberos,keytab
It's theoretically possible, but the logistics of making it work are next to impossible to implement. I've no idea if IIS supports this or not, but it is possible in the kerberos API to say "try to decrypt this response using every key in the keytab". In theory, this can...
Windows client damage authorization header (Kerberos) => IIS 400 (Bad Request)
Solved. Eset NOD32 Antivirus version 4 was modifying HTML authorization headers on some computers. After disabling Web access protection everything works like a charm.
How to enable hdfs and mapred audit logs?
I found an answer here As i am using YARN framework, i just added the below line in log4j.properties file for mapred.audit.logger log4j.logger.org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger=${mapred.audit.logger} ...
setup kerberos constrained delegation powershell
Try setting only the msDS-AllowedToDelegateTo property using the Set-ADObject command.
Cannot retrieve TGT despite allowtgtsessionkey registry entry
java,windows,single-sign-on,kerberos,jaas
It seems this is a limitation of Windows when it comes to accounts that are also in the local administration group. I read the following here: Known Issues If an AD account is also added into local administrator group on the client PC, Microsoft restricts such client from getting the...
C++ How to use MIT Kerberos with libpq?
I don't think you need to change anything in your code. A quick look at psql suggests that all the Kerberos support is handled via libpq, so psql doesn't have to care; the same should be true of your app. If your system is set up for Kerberos auth and...
Configure Kerberos auth for TFS 2013
Kerberos is not a TFS capability but one of active directory. If you are able to get a nervous token on the TFS accounts with the delegated URL so in your SPN, then you only need to switch TFS over. You might find the option in the console but i...
Kerberos on Windows8
Kerberos in windows can be achieved by the windows server OS with active directory In that server we need to create krb5.ini configuration file and users who are going to be access the service or host Also we need to map separate principals to the appropriate user Finally we...
Accesing Hdfs from Spark gives TokenCache error Can't get Master Kerberos principal for use as renewer
authentication,hadoop,kerberos,apache-spark
After creating my own hadoop cluster in order to better understand how hadoop works. I fixed it. You have to provide Spark with a valid .keytab file which has been generated for an account which has at least read access to the hadoop cluster. Also, you have to provide spark...
Installation of Kerberos5-1.12.1
Thanks to Rowland Shaw and Michael-O in the comments, I got it working with the instructions here: how to install Lex and Yacc in Ubuntu? The problem is that yacc isn't installed. Install yacc (with apt-get it's sudo apt-get install byacc flex) and it should work....
java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
hadoop,apache-spark,kerberos,yarn,apache-spark-sql
I have been running Spark 1.2.0 in standalone mode and using a Kerberos-enabled CDH5 cluster (Cloudera VM). So Spark application cannot be run. For more details see the below link from cloudera: http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_spark_auth.html HTH ... Pls award points if found useful. Thanks...
Authenticate scripts on HDFS using key.tab file
hadoop,apache-spark,hdfs,kerberos,keytab
kinit -kt `whoami`.keytab `whoami`@INTRANET.BARCAPINT.COM placing the key-tab file in hdfs user home folder and adding above in start of all scripts worked for me....