Creating Service Principals for Kerberos Ticket Generation in Windows

To create service principals for Kerberos ticket generation:

  1. Create a service principal account for HDFS in the Windows Active Directory domain controller:

    1. Click Active Directory Users and Computers > domain name (example: intelligence.lab) > right-click Users > New > User.

    2. In New Object - User, specify your first, last, and full name.

    3. Specify User logon name as hdfs/<DATANODE_HOST> and click Next.
    4. Specify and confirm your password. Ensure that you select Password Never Expires and click Next.
    5. Click Active Directory Users and Computers > domain name (example: intelligence.lab) > right-click Users (The user created in the above steps) > Properties.

    6. Click Account, and under Account Options:, select all of the following:

      • This account supports Kerberos AES 128 bit encryption.

      • This account supports Kerberos AES 256 bit encryption.

      • Do not require Kerberos preauthentication.

    7. Click Apply and then click OK.

  2. Create a service principal account for HTTP in the Windows Active Directory domain controller:

    1. Click Active Directory Users and Computers > domain name (example: intelligence.lab) > right-click Users > New > User.

    2. In New Object - User, specify your first, last, and full name.

    3. Specify User logon name as http/<DATANODE_HOST> and click Next.
    4. Specify and confirm your password. Ensure that you select Password Never Expires and click Next.
    5. Click Active Directory Users and Computers > domain name (example: intelligence.lab) > right-click Users (The user created in the above steps) > Properties.

    6. Click Account, and under Account Options, select all of the following:

      • This account supports Kerberos AES 128 bit encryption.

      • This account supports Kerberos AES 256 bit encryption.

      • Do not require Kerberos preauthentication.

    7. Click Apply and then click OK.
  3. Repeat steps 1 and 2 for all the worker nodes where HDFS datanodes are active.

  4. For the service principal account created for HDFS, generate the keytabs by running the following commands in the Windows command prompt:

    ktpass /out hdfs_<DATANODE_HOST>.keytab /princ hdfs/<DATANODE_HOST>@<Domain name of domain controller> /mapuser <DATANODE_HOST without domain name>@<Domain name of domain controller> /pass <password> /crypto all /ptype KRB5_NT_PRINCIPAL

  5. For the service principal account created for HTTP, generate the keytabs by running the following commands in the Windows command prompt:

    ktpass /out http_<DATANODE_HOST>.keytab /princ http/<DATANODE_HOST>@<Domain name of domain controller> /mapuser <DATANODE_HOST without domain name>@<Domain name of domain controller> /pass <password> /crypto all /ptype KRB5_NT_PRINCIPAL

  6. Repeat steps 4 and 5 for all the worker nodes where HDFS datanodes are active.