Configuring Authentication with Kerberos
Also available as:
loading table of contents...

Enable Browser Access to a SPNEGO-enabled Web UI

How to enable browser access to a SPNEGO-enabled web UI.

  1. Install Kerberos on your local machine (search for instructions on how to install a Kerberos client on your local environment).
  2. Configure the krb5.conf file on your local machine. For testing on a HDP cluster, copy the /etc/krb5.conf file from one of the cluster hosts to your local machine at /etc/krb5.conf. Create your own keytabs and run kinit. For testing on a HDP cluster, copy the "ambari_qa" keytab file from /etc/security/keytabs/smokeuser.headless.keytab on one of the cluster hosts to your local machine, then run the following command:
    kinit -kt smokeuser.headless.keytab ambari-qa@EXAMPLE.COM
  3. Enable your web browser with Kerberos SPNEGO:
    1. For Chrome on Mac:
      1. Run the following command from the same shell in which you ran the previous kinit command to launch Chrome:
        /Applications/Google\\ Chrome --auth-server-whitelist="*"

        Replace with your own domain name.

      2. If you get the following error, try closing and relaunching all Chrome browser windows.
        [14617:36099:0810/] Failed to launch GPU process.
    2. For Firefox:
      1. Navigate to the about:config URL (type about:config in the address box, then press the Enter key).
      2. Scroll down to network.negotiate-auth.trusted-uris and change its value to your cluster domain name (For example,
      3. Change the value of network.negotiate-auth.delegation-uris to your cluster domain name (For example,