Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-8303: Kerberos throws GSSException when starting Hadoop application

Authentication Service ,  

7 March,17 at 05:51 PM

Applies to: Centrify DirectControl 5.3.1-398 and below on all supported platforms.

Problem: When using Centrify DirectControl for Kerberos infinite renewal a GSSException is thrown when starting a Hadoop application even though the AD user has a valid TGT.


GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)


Reference link:

As mentioned in the thread, the problem is due to the name-type field not being set in the PA-TGS-REQ, which is a required field for read only domain controller (RODC), without this feild KRB5KRB_AP_ERR_BAD_INTEGRITY will be returned.

After renewing the ticket using "kinit -R", it can be observed in a network trace, KRB5KRB_AP_ERR_BAD_INTEGRITY error is returned when requesting the service ticket.
#14734, TGS-REQ, krbtgt/ -> krbtgt/
#14736, TGS-REP, error-code: eRR-BAD-INTEGRITY (31)

This is fixed with Centrify DirectControl 5.3.1-411 and above.

Centrify Corporation does not take any responsibility for the content or availability of this link and it was provided as a courtesy.  Customers should contact the vendor if there are any further questions”.