Nifi authentication through Kerberos issues

[Derek Richardson]

I'm working on transitioning a nifi instance we deploy with Kerberos and
I'm having some trouble authenticating. Everything looks correct, but when
I try to log in with any of my created users, I get an error message:

The supplied username and password are not valid.

Everything on nifi without https was working, and everything I've created
on the Kerberos side looks and works as expected, I just haven't been able
to get a user to log in to the Nifi UI.

Here are some of my config files, is there anything I'm missing or have
incorrect?

---------------------------

Authorizers.xml:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authorizers>
    <userGroupProvider>
        <identifier>file-user-group-provider</identifier>
        <class>org.apache.nifi.authorization.FileUserGroupProvider</class>
        <property name="Users File">./conf/users.xml</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Initial User Identity 1"></property>
    </userGroupProvider>

    <accessPolicyProvider>
        <identifier>file-access-policy-provider</identifier>

<class>org.apache.nifi.authorization.FileAccessPolicyProvider</class>
        <property name="User Group
Provider">file-user-group-provider</property>
        <property name="Authorizations
File">./conf/authorizations.xml</property>
        <property name="Initial Admin Identity">admin@MY.REALM</property>
        <property name="Legacy Authorized Users File"></property>
        <property name="Node Identity 1"></property>
        <property name="Node Group"></property>
    </accessPolicyProvider>

    <authorizer>
        <identifier>managed-authorizer</identifier>

<class>org.apache.nifi.authorization.StandardManagedAuthorizer</class>
        <property name="Access Policy
Provider">file-access-policy-provider</property>
    </authorizer>

    <authorizer>
        <identifier>file-provider</identifier>
        <class>org.apache.nifi.authorization.FileAuthorizer</class>
        <property name="Authorizations
File">./conf/authorizations.xml</property>
        <property name="Users File">./conf/users.xml</property>
        <property name="Initial Admin Identity">admin@MY.REALM</property>
        <property name="Legacy Authorized Users File"></property>

        <property name="Node Identity 1"></property>
    </authorizer>
</authorizers>

-------------------------------------

Relevant nifi.properties:
nifi.security.user.authorizer=file-provider
nifi.security.user.login.identity.provider=kerberos-provider
# kerberos #
nifi.kerberos.krb5.file= /etc/krb5.conf
nifi.kerberos.service.principal=admin@MY.REALM
nifi.kerberos.service.keytab.location=/etc/kadm5.keytab

-------------------------------------

Login-identity-provider.xml
<loginIdentityProviders>
    <provider>
        <identifier>kerberos-provider</identifier>
        <class>org.apache.nifi.kerberos.KerberosProvider</class>
        <property name="Default Realm">MY.REALM</property>
        <property name="Authentication Expiration">12 hours</property>
    </provider>
</loginIdentityProviders>

---------------------------------------

/etc/krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_realm = MY.REALM

[realms]
 RO.INTERNAL = {
  kdc = nifi-djr5.ro.internal:88
  admin_server = nifi-djr5.my.realm:749
  default_domain = my.realm
 }

[domain_realm]
 .my.realm = MY.REALM
 my.realm = MY.REALM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

-------------------------------------------

Any help would be greatly appreciated!