Issue

User is able to run a workflow on the local machine and through Designer on the Gallery machine, but the following error is thrown when attempting to load the workflow to the gallery or run it through the gallery:
 

SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Internal credentials cache error)

 

Environment Details

 

• Alteryx Server
  • All versions
• Alteryx Designer with Scheduler
  • All versions
• Windows Server OS
• MIT Kerberos with transitive trust with Active Directory
  • Ask your Kerberos admin or IT if you have a transitive trust. You likely have this setup if you see two tickets in the MIT Kerberos ticket manager with one pointing to the MSLSA cache:

 

Cause

Alteryx cannot use the ticket stored in the ticket cache on the server because it cannot access the ticket from the session that the Alteryx service creates to run the Alteryx engine. 

Solution A: Use the API ticket cache

 

The ticket needs to be created in the same session the engine is running in. To do so, use the API cache for the ticket instead of the default ticket location. The API cache holds the credentials in memory for the user rather than writing them to disk. 
See the MIT Kerberos documentation for more detail on the different cache types.

1. You will need a keytab file in order to be able to do this. If you don't have one, work with your Hadoop admin to obtain one.

2. Change the KRB5CCNAME environmental variable to point to the API cache rather than a location on disk:
 

3. Add an event to the workflow to run before the workflow executes to create a ticket.
The command is the kinit command for Kerberos, the command arguments are options for the kinit command.

Command: 
C:\Program Files\MIT\Kerberos\bin\kinit.exe

Command Arguments: 
-c API -k -t <keytab_file> <kerberos principal>

 

• -c is the cache name, in this case, we specify API as the cache.
• -k requests a ticket, obtained from a key in the local host’s keytab.
• -t points to the keytab file.

4. If you want to destroy the ticket after running the workflow, you can add a kdestroy event after the workflow finishes running. 

 

Solution B: Change the Kerberos configuration to use Active Directory Kerberos

 

***NOTE: This option can only be implemented with the Kerberos/Hadoop admin's help and requires an overall change of the Kerberos configuration and infrastructure. This solution is beyond the scope of Alteryx Support to help implement. The solution is provided to strictly aid with potential solution ideas for your organization to implement along with your organization's IT support.

Using Active Directory Kerberos (Kerberos SSPI) means that no ticket needs to be created on the server machine because it uses Active Directory as the KDC and no local KDC is required. When used together with workflow credentials, this provides the most seamless option for using Kerberos authentication to Hadoop clusters on a Gallery install.

Once Kerberos has been configured, make sure that the ODBC DSN is configured correctly and works to connect. There is no need for additional configurations in Alteryx.

Additional Information

 

• SSPI/Kerberos Interoperability with GSSAPI
• MIT Kerberos Site