Environment Details
User is able to run a workflow on the local machine and through Designer on the Gallery machine, but the following error is thrown when attempting to load the workflow to the gallery or run it through the gallery:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Internal credentials cache error)
- Alteryx Server
- Alteryx Designer with Scheduler
- Windows Server OS
- MIT Kerberos with transitive trust with Active Directory
- Ask your Kerberos admin or IT if you have a transitive trust. You likely have this setup if you see two tickets in the MIT Kerberos ticket manager with one pointing to the MSLSA cache:
Cause
Alteryx cannot use the ticket stored in the ticket cache on the server because it cannot access the ticket from the session that the Alteryx service creates to run the Alteryx engine.
Resolution
Solution A: Use the API ticket cache
The ticket needs to be created in the same session the engine is running in. To do so, use the API cache for the ticket instead of the default ticket location. The API cache holds the credentials in memory for the user rather than writing them to disk.
See the MIT Kerberos documentation for more detail on the different cache types.
1. You will need a keytab file in order to be able to do this. If you don't have one, work with your Hadoop admin to obtain one.
2. Change the KRB5CCNAME environmental variable to point to the API cache rather than a location on disk:

3. Add an event to the workflow to run before the workflow executes to create a ticket.
The command is the
kinit command for Kerberos, the command arguments are options for the kinit command.
Command:
C:\Program Files\MIT\Kerberos\bin\kinit.exe
Command Arguments:
-c API -k -t <keytab_file> <kerberos principal>
- -c is the cache name, in this case, we specify API as the cache.
- -k requests a ticket, obtained from a key in the local host’s keytab.
- -t points to the keytab file.

4. If you want to destroy the ticket after running the workflow, you can add a
kdestroy event after the workflow finishes running.
Solution B: Change the Kerberos configuration to use Active Directory Kerberos
***NOTE: This option can only be implemented with the Kerberos/Hadoop admin's help and requires an overall change of the Kerberos configuration.
Using Active Directory Kerberos (Kerberos SSPI) means that no ticket needs to be created on the server machine because it uses Active Directory as the KDC and no local KDC is required. When used together with workflow credentials, this provides the most seamless option for using Kerberos authentication to Hadoop clusters on a Gallery install.
Once Kerberos has been configured, make sure that the ODBC DSN is configured correctly and works to connect. There is no need for additional configurations in Alteryx.
Don't hesitate to contact support@alteryx.com with any questions and if help is required to step through the resolution.