Enable Browser Access to a SPNEGO-enabled Web UI
How to enable browser access to a SPNEGO-enabled web UI.
- Install Kerberos on your local machine (search for instructions on how to install a Kerberos client on your local environment).
-
Configure the
krb5.conffile on your local machine. For testing on a HDP cluster, copy the/etc/krb5.conffile from one of the cluster hosts to your local machine at/etc/krb5.conf. Create your own keytabs and runkinit. For testing on a HDP cluster, copy the "ambari_qa" keytab file from/etc/security/keytabs/smokeuser.headless.keytabon one of the cluster hosts to your local machine, then run the following command:kinit -kt smokeuser.headless.keytab ambari-qa@EXAMPLE.COM -
Enable your web browser with Kerberos SPNEGO:
-
For Chrome on Mac:
- Run the following command from the same shell in which you ran
the previous
kinitcommand to launch Chrome:/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --auth-server-whitelist="*.hwx.site"Replace
.hwx.sitewith your own domain name. - If you get the following error, try closing and relaunching all Chrome
browser
windows.
[14617:36099:0810/152439.802775:ERROR:browser_gpu_channel_host_factory.cc(103)] Failed to launch GPU process.
- Run the following command from the same shell in which you ran
the previous
-
For Firefox:
- Navigate to the about:config URL (type
about:configin the address box, then press the Enter key). - Scroll down to
network.negotiate-auth.trusted-urisand change its value to your cluster domain name (For example,.hwx.site). - Change the value of
network.negotiate-auth.delegation-uristo your cluster domain name (For example,.hwx.site).
- Navigate to the about:config URL (type
-
For Chrome on Mac:

