Hive Connector, Principal Name, Kerberos, Connection to Database failed, Authentication

My co-worker and I both downloaded Knime Big Data Connectors. We are using the Hive Connector to connect to our Hive Database. It works for me, but it does not work for my colleague. The error message my colleague is getting is "Execute failed: Could not create connection to database: Unable to obtain Principal Name for authentication".

We have compared our notes, installations, folders, kerberos tickets, Hive permissions, Java installation, Knime projects, etc. We think we're doing exactly the same thing. I'm looking for ideas on how to solve this problem.

Hi,

are you using the Kerberos ticket from your active directory e.g. your windows login? If that is the case you might need to change a registry key to allow Java to access your Windows-native MSLSA ticket cache.

For Windows XP and Windows 2000, the registry key and value should be:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos
  • Value Name: allowtgtsessionkey
  • Value Type: REG_DWORD Value: 0x01

For Windows 2003 and Windows Vista, the registry key and value should be:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  • ValueName: allowtgtsessionkey
  • Value Type: REG_DWORD Value: 0x01

Please note that changing this registry key is somehow controversial and IT operations may object to this, as it opens a potential security vulnerability. In this case you will need to use the MIT Kerberos client to obtain a ticket and store it in a file-based cache. Also if an AD account is added into local administrator group on the client PC, Microsoft restricts such client from getting the session key for tickets (even if you set the allowtgtsessionkey registry key to 1). The workaround is to remove the account from the local admin group.

To get more information about the potential problem you can enable Keberos debugging. Attached you can find a workflow that once you execute the Java Edit Variable enables the Kerberos debugging and redirecting its output to the standard KNIME log file as warning message.

Bye

Tobias

enablekerberosdebugging_0.knwf

Tobias,

Thanks for your help. Both my co-worker and I were using the MIT Kerberos client. The reason things worked for me was because I had copied the krb5.ini file to the c:\windows folder. Doing that on his machine made things work. Your enablekerberosdebugging_0.knwf is extremly valuable. I'm also referencing the article here where the solution is shown: https://tech.knime.org/forum/big-data-extensions/odd-kerberos-problem

Carlos -

Hi Carlos,

I'm happy that it solved your problem and thanks for the feedback.

Bye

Tobias