This site uses different types of cookies, including analytics and functional cookies (its own and from other sites). To change your cookie settings or find out more, click here. If you continue browsing our website, you accept these cookies.
User is able to run a workflow on the local machine and through Designer on the Gallery machine, but the following error is thrown when attempting to load the workflow to the gallery or run it through the gallery:
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Internal credentials cache error)
Alteryx Designer with Scheduler
Windows Server OS
MIT Kerberos with transitive trust with Active Directory
Ask your Kerberos admin or IT if you have a transitive trust. You likely have this setup if you see two tickets in the MIT Kerberos ticket manager with one pointing to the MSLSA cache:
Alteryx cannot use the ticket stored in the ticket cache on the server because it cannot access the ticket from the session that the Alteryx service creates to run the Alteryx engine.
Solution A: Use the API ticket cache
The ticket needs to be created in the same session the engine is running in. To do so, use the API cache for the ticket instead of the default ticket location. The API cache holds the credentials in memory for the user rather than writing them to disk. See the MIT Kerberos documentation for more detail on the different cache types.
1. You will need a keytab file in order to be able to do this. If you don't have one, work with your Hadoop admin to obtain one.
2. Change the KRB5CCNAME environmental variable to point to the API cache rather than a location on disk:
3. Add an event to the workflow to run before the workflow executes to create a ticket. The command is the kinit command for Kerberos, the command arguments are options for the kinit command.
-c is the cache name, in this case, we specify API as the cache.
-k requests a ticket, obtained from a key in the local host’s keytab.
-t points to the keytab file.
4. If you want to destroy the ticket after running the workflow, you can add a kdestroy event after the workflow finishes running.
Solution B: Change the Kerberos configuration to use Active Directory Kerberos
***NOTE: This option can only be implemented with the Kerberos/Hadoop admin's help and requires an overall change of the Kerberos configuration and infrastructure. This solution is beyond the scope of Alteryx Support to help implement. The solution is provided to strictly aid with potential solution ideas for your organization to implement along with your organization's IT support.
Using Active Directory Kerberos (Kerberos SSPI) means that no ticket needs to be created on the server machine because it uses Active Directory as the KDC and no local KDC is required. When used together with workflow credentials, this provides the most seamless option for using Kerberos authentication to Hadoop clusters on a Gallery install.
Once Kerberos has been configured, make sure that the ODBC DSN is configured correctly and works to connect. There is no need for additional configurations in Alteryx.