I am trying to connect to hdfs and hive with Kerberos authentication (with kerberos config and keytab).
If try with knime version 4_3_0 it works, and i’m connect!!.
If i use the same settings version Knime 4_6_0 it returns me ERROR (cancel the server)
Execute failed: Failed on local exception: java.io.IOException:
- javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:*
- No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))];*
- Host Details : local host is: “xxxxxxx”; destination host is: “xxxxxxxxxx”:xxx;*
can you help me?
more information about the Kerberos connection can be found in the debug log. You can enable and view them in the preferences → KNIME → Kerberos. Does this already solve the issue? If not, what Kerberos Server are you using?
I still have the problem.
I looked at the kerberos log in preference with debug mode.
This is the view of the initial login authentication (knime 4_3_0 vs 4_6_0):
This is the appears in the crypto phase where in version 4_6_0 it goes into error (knime 4_3_0 vs 4_6_0) :
available for details,
the Java VM inside KNIME was update between the KNIME versions, and I guess the encryption type is considered weak now. What cluster are you using?
Cloudera has some documentation about the supported types here: Managing Kerberos credentials using Cloudera Manager
I guess in the second image, the working knime_4_3_0 is on the right side and the non-working knime_4_6_0 on the left side? The posted logs are hard to read, and the important things are possible outside the window. Feel free to open a support ticket and provide the logs there, in a more secure way.
Are you using krb.conf inside KNIME, and if yes, do you have any encryption related setting in it?
We are using cdp version 7.4.4.
I read the encryption type on the documentation and it looks like this:
Cloudera Manager allows you to configure the encryption types (or enctype) used by an Active Directory KDC to protect its data. Cloudera supports the following encryption types:
We have this encryption in our krb.conf:
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts rc4-hmac
default_tkt_enctypes = aes256-cts rc4-hmac
permitted_enctypes = aes256-cts rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
so there is encryption .
Yes in second image knime_4_3_0 is on the right .
Thanks for the support
RC4 is considered weak since years and should not be used anymore.
You have to find an encryption that both, Java/KNIME and your Kerberos Server supports. What Kerberos server are you using? MIT, Microsoft Active Directory or some other?
We use kerberos on Active Directory (windows server 2016).
Ok RC4 is deprecated, but aes256-cts?
Anyway I wanted to try to change the jdk on knime to see what happens, but with knime 4.3 I can, with knime 4.6 no? Why this?
Preference knime 4.6
Preference knime 4.3
KNIME requires a recent Java version, old Java versions are not supported anymore and this is a security problem, that’s why you can’t downgrade the Java version.
AES encryption has to b enabled in Active Directory, see here: Decrypting the Selection of Supported Kerberos Encryption Types - Microsoft Community Hub
The Kerberos debug log might have additional information why AES does not work.
Maybe we use both keys for the kerberos connection to hadoop, so I can login but not the hadoop connection.
But I would need to know which version of java uses knime 4_6_0 → jdk, jre and jvm, to understand the problem with the kerberos server.
Can you provide me with this information?
you can find the Java Version in the KNIME AP this way:
- Help → About KNIME Analytics Platform → Installation Details
- Then search JRE in the new Dialog on the Plug-Ins Tab
In the latest Version of KNIME (4.6.3) this is Java 17.0.3.
If you are working in a test setup, adding
allow_weak_crypto = true to your
krb5.conf might be something as a quick workaround (see here). Please note that RC4 is considered weak and a security risk.
I understand the problem of secure encryption.
Also add line allow_weak_crypto = true —> WORKS knime 4_6_0.
Thanks for the explanations and support !!
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.