ALTERYX INSPIRE | Join us this May for for a multi-day virtual analytics + data science experience like no other! Register Now
The Alteryx Community will be temporarily unavailable for a few hours due to scheduled maintenance starting on Thursday, April 22nd at 5pm MST. Please plan accordingly.

Alteryx Server Knowledge Base

Definitive answers from Server experts.

Error when running workflow in Gallery: generic failure: GSSAPI Error: Unspecified GSS failure (Credentials Cache Error)

HenrietteH
Alteryx
Alteryx
Created

Environment Details


User is able to run a workflow on the local machine and through Designer on the Gallery machine, but the following error is thrown when attempting to load the workflow to the gallery or run it through the gallery:
 
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Internal credentials cache error)
 
  • Alteryx Server
    • All versions
  • Alteryx Designer with Scheduler
    • All versions
  • Windows Server OS
  • MIT Kerberos with transitive trust with Active Directory
    • Ask your Kerberos admin or IT if you have a transitive trust. You likely have this setup if you see two tickets in the MIT Kerberos ticket manager with one pointing to the MSLSA cache:


Cause


Alteryx cannot use the ticket stored in the ticket cache on the server because it cannot access the ticket from the session that the Alteryx service creates to run the Alteryx engine. 



Resolution


Solution A: Use the API ticket cache

 

The ticket needs to be created in the same session the engine is running in. To do so, use the API cache for the ticket instead of the default ticket location. The API cache holds the credentials in memory for the user rather than writing them to disk. 
See the MIT Kerberos documentation for more detail on the different cache types.

1. You will need a keytab file in order to be able to do this. If you don't have one, work with your Hadoop admin to obtain one.

2. Change the KRB5CCNAME environmental variable to point to the API cache rather than a location on disk:
 




3. Add an event to the workflow to run before the workflow executes to create a ticket.
The command is the kinit command for Kerberos, the command arguments are options for the kinit command.
Command: 
C:\Program Files\MIT\Kerberos\bin\kinit.exe

Command Arguments: 
-c API -k -t <keytab_file> <kerberos principal>
 
  • -c is the cache name, in this case, we specify API as the cache.
  • -k requests a ticket, obtained from a key in the local host’s keytab.
  • -t points to the keytab file.




4. If you want to destroy the ticket after running the workflow, you can add a kdestroy event after the workflow finishes running. 

 

Solution B: Change the Kerberos configuration to use Active Directory Kerberos

 

***NOTE: This option can only be implemented with the Kerberos/Hadoop admin's help and requires an overall change of the Kerberos configuration. 

Using Active Directory Kerberos (Kerberos SSPI) means that no ticket needs to be created on the server machine because it uses Active Directory as the KDC and no local KDC is required. When used together with workflow credentials, this provides the most seamless option for using Kerberos authentication to Hadoop clusters on a Gallery install.

Once Kerberos has been configured, make sure that the ODBC DSN is configured correctly and works to connect. There is no need for additional configurations in Alteryx.

Don't hesitate to contact support@alteryx.com with any questions and if help is required to step through the resolution.