Thanks to Shakti. It works now. Since the web application uses the underlying mechanism to get the credentials, after adding the "-Djavax.security.auth.useSubjectCredsOnly=false", we are now able to connec to metastore now.
On Fri, Jul 28, 2017 at 10:37 AM, shakti singh Shekhawat < shaktisingh.shekhawa...@gmail.com> wrote: > Hi Wenxing, > > Can you please refer the below Oracle link which has solution for all > common Kerberos authentication issues and it helped us solve our issue: > http://docs.oracle.com/javase/7/docs/technotes/guides/ > security/jgss/tutorials/Troubleshooting.html > > The issue you mentioned *GSSException: No valid credentials provided > (Mechanism level: Failed to find any Kerberos Ticket)* also can be found > on this link. > > If the above does not help, please refer the below steps which were taken > by my team to setup/install a similar JAVA based app on a Kerberized > cluster. > > Assumptions > ----------- > 1)You have access to the KDC to create a principal and export its keytab. > 2)You know the Kerberos principal name for Hive's service account to > connect via JDBC/Beeline. > Setting Up > ---------- > 1)Enter kadmin prompt to create/add a principal for your web-app and > export the keytab file > 2)Verify the keytab file was created > 3)Copy this keytab to the edge node from where you ran the shell script. > 4)Set appropriate ownership and permissions to your folder > > On Edge Node > -------------------- > 1)Ensure kerberos and kstart packages are installed and if not then please > install them > 2)Obtain a renewable kerberos ticket for your web-app. > 3)Using the keytab created and copied over from the KDC server earlier > k5start will manage both kinit and krenew for this principal to ensure > web-app account had a valid, un-expired ticket > 4)Make sure to use the absolute path for the keytab file to avoid renewal > errors past the configured "maxrenewlife" time. > 5)Check output of klist command to verify your web-app has a valid ticket > 6)Ensure k5start daemon is running > From here on, Kerberos is transparent to your web-app. > Accessing Hive CLI / Beeline on a secure cluster > ------------------------------------------------ > 1)On a secure cluster, the JDBC connection URL needs an extra argument to > connect to the HiveServer. Hive’s service principal (not the end-user’s > principal) needs to go in the URL. As usual, the end user i.e. your web-app > also needs a valid ticket > 2)HIVE_CONNECTION_URL, wherever used in your web-app should also have this > principal included in it. > > Please let me know if the above helps. > > Thanks, > Shakti > > On Thu, Jul 27, 2017 at 10:30 AM, wenxing zheng <wenxing.zh...@gmail.com> > wrote: > >> adding more information. >> >> hive.metastore.HiveMetaStoreClientTest is doing the same thing as the >> codes above. and the SHELL script works after we got the ticket with the >> kinit >> >> #!/usr/bin/env bash >>> >>> export HIVE_LIBS_DIR=lib/ >>> export JAVA_OPTS='-Xdebug -Xrunjdwp:transport=dt_socket, >>> server=y,suspend=n,address=5005' >>> >>> >>> export CLASSPATH=.:./hive-0.0.1-SNAPSHOT.jar:./conf/:$HADOOP_HOME/ >>> etc/hadoop/ >>> for i in ${HIVE_LIBS_DIR}/*.jar ; do >>> CLASSPATH=$CLASSPATH:$i >>> done >>> java $JAVA_OPTS -cp $CLASSPATH hive.metastore.HiveMetaStoreClientTest >> >> >> >> On Thu, Jul 27, 2017 at 10:25 PM, wenxing zheng <wenxing.zh...@gmail.com> >> wrote: >> >>> Hello Shakti >>> >>> The configurations mentioned in the link above are all OK and we are >>> able to connect to Hive from Kylin and Hive CLI. Even we are able to >>> connect to meta store in a JAR package but run with classpath setting with >>> HIVE_CONF_DIR. >>> >>> In our web applications, what we are doing is like the codes below: >>> >>> HiveConf conf=new HiveConf(); >>>> File f=new File(ConfUtil.getHiveConfDir()+File.separator+"hive-site.xml >>>> "); >>>> if(f.exists()){ >>>> conf.addResource(f.toURI().toURL()); >>>> } >>>> else{log.error(f.toString()+"nonexist.");} >>>> try{ >>>> client=new HiveMetaStoreClient(conf); >>>> } >>>> catch(Exception e){log.error("HiveMetaStoreClient exeception: >>>> "+e.getMessage());e.printStackTrace();} >>> >>> >>> Note: our web application deployed as a WAR package under the Jetty >>> webapps. >>> >>> Thanks again, >>> Wenxing >>> >>> >>> On Thu, Jul 27, 2017 at 8:58 PM, shakti singh Shekhawat < >>> shaktisingh.shekhawa...@gmail.com> wrote: >>> >>>> Hi Wenxing, >>>> >>>> Some of the changes I can see in hive-site.xml in Kerberized cluster as >>>> compared to our non-kerberized one is: >>>> hive.metastore.*sasl.enabled* --> >>>> *<value>true</value> --This property is false in non-kerberized >>>> cluster* >>>> hive.server2.authentication --> <value>KERBEROS</value> >>>> >>>> Adding the below links(please refer as per your distribution) for your >>>> reference for all the properties that are needed to be set in >>>> hive-site.xml: >>>> https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_ >>>> security/content/kerb-config-hive-site.html >>>> https://www.cloudera.com/documentation/enterprise/5-2-x/topi >>>> cs/cdh_sg_hive_metastore_security.html >>>> >>>> The error you pasted above also points to SASL issue: >>>> 2017-07-27 10:29:16,873 ERROR >>>> *org.apache.thrift.transport.**TSaslTransport:SASL >>>> negotiation failur*e >>>> javax.security.sasl.SaslException: GSS initiate failed [Caused by >>>> GSSException: No valid credentials provided >>>> >>>> Please let me know if the above helps in debugging the issue. Also, >>>> please let us know in case you are able to connect to Hive from an edge >>>> node or through other tools. >>>> >>>> Thanks, >>>> Shakti >>>> >>>> >>>> On Thu, Jul 27, 2017 at 2:04 AM, wenxing zheng <wenxing.zh...@gmail.com >>>> > wrote: >>>> >>>>> In my web application, I am using the HiveMetaStoreClient setting with >>>>> kerberized hive-site.xml. >>>>> >>>>> Any preconditions to met for the HiveMetaStoreClient to work correctly? >>>>> >>>>> On Thu, Jul 27, 2017 at 2:02 PM, wenxing zheng < >>>>> wenxing.zh...@gmail.com> wrote: >>>>> >>>>>> still didn't determine the root cause. And happened to find a JIRA >>>>>> related with my issue: https://issues.cloudera.org/browse/DISTRO-610. >>>>>> >>>>>> >>>>>> >>>>>> On Thu, Jul 27, 2017 at 11:41 AM, wenxing zheng < >>>>>> wenxing.zh...@gmail.com> wrote: >>>>>> >>>>>>> Thanks to Shkti. Will have a try immediately. >>>>>>> >>>>>>> On Thu, Jul 27, 2017 at 11:15 AM, shakti singh Shekhawat < >>>>>>> shaktisingh.shekhawa...@gmail.com> wrote: >>>>>>> >>>>>>>> Hi Wenxing, >>>>>>>> >>>>>>>> We recently had the same GSS Tgt issue when we moved to a >>>>>>>> Kerberized cluster. The solution that worked for us was "Create a file >>>>>>>> to >>>>>>>> define Java krb5login and name it as jaas.conf or jaas.java". Jaas >>>>>>>> authentication makes Java applications independent of underlying >>>>>>>> authentication technology. >>>>>>>> >>>>>>>> Please refer the below link from Oracle (or search for "How to add >>>>>>>> jaas configuration" in Google to see the 1st link in case the below >>>>>>>> link >>>>>>>> does not work) for your application. >>>>>>>> http://docs.oracle.com/javase/7/docs/technotes/guides/securi >>>>>>>> ty/jgss/tutorials/LoginConfigFile.html >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Shakti Singh Shekhawat >>>>>>>> >>>>>>>> On Wed, Jul 26, 2017 at 10:42 PM wenxing zheng < >>>>>>>> wenxing.zh...@gmail.com> wrote: >>>>>>>> >>>>>>>>> Dear all, >>>>>>>>> >>>>>>>>> We have a Hive in 2.1.1 and a web application running against the >>>>>>>>> Hive server. Before enabling the Kerberos, everything is OK. But after >>>>>>>>> enabling the Kerberos, it always failed to do the authentication. >>>>>>>>> >>>>>>>>> - web application runs with: Jetty, hive client version: 1.2.1 >>>>>>>>> and JDK 1.7 >>>>>>>>> - Hive runs with JDK 1.8 >>>>>>>>> - but both JDKs are running with JCE jars. >>>>>>>>> >>>>>>>>> >>>>>>>>> Followings are the errors: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2017-07-27 10:29:16,622 INFO hive.metastore:Trying to connect to >>>>>>>>>> metastore with URI thrift://hdp-cli-01.dataservice.net:9083 >>>>>>>>>> 2017-07-27 10:29:16,793 WARN >>>>>>>>>> org.apache.hadoop.util.NativeCodeLoader:Unable >>>>>>>>>> to load native-hadoop library for your platform... using builtin-java >>>>>>>>>> classes where applicable >>>>>>>>>> 2017-07-27 10:29:16,873 ERROR >>>>>>>>>> org.apache.thrift.transport.TSaslTransport:SASL >>>>>>>>>> negotiation failure >>>>>>>>>> javax.security.sasl.SaslException: GSS initiate failed [Caused >>>>>>>>>> by GSSException: No valid credentials provided (Mechanism level: >>>>>>>>>> Failed to >>>>>>>>>> find any Kerberos tgt)] >>>>>>>>>> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChalleng >>>>>>>>>> e(GssKrb5Client.java:212) >>>>>>>>>> at org.apache.thrift.transport.TSaslClientTransport.handleSaslS >>>>>>>>>> tartMessage(TSaslClientTransport.java:94) >>>>>>>>>> at org.apache.thrift.transport.TSaslTransport.open(TSaslTranspo >>>>>>>>>> rt.java:271) >>>>>>>>>> at org.apache.thrift.transport.TSaslClientTransport.open(TSaslC >>>>>>>>>> lientTransport.java:37) >>>>>>>>>> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1 >>>>>>>>>> .run(TUGIAssumingTransport.java:52) >>>>>>>>>> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1 >>>>>>>>>> .run(TUGIAssumingTransport.java:49) >>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>>>> at javax.security.auth.Subject.doAs(Subject.java:415) >>>>>>>>>> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGro >>>>>>>>>> upInformation.java:1657) >>>>>>>>>> at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.o >>>>>>>>>> pen(TUGIAssumingTransport.java:49) >>>>>>>>>> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(Hi >>>>>>>>>> veMetaStoreClient.java:420) >>>>>>>>>> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>( >>>>>>>>>> HiveMetaStoreClient.java:236) >>>>>>>>>> at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>( >>>>>>>>>> HiveMetaStoreClient.java:181) >>>>>>>>>> at com.taobao.zeus.store.CliTableManager.initClient(CliTableMan >>>>>>>>>> ager.java:60) >>>>>>>>>> at com.taobao.zeus.store.CliTableManager.<init>(CliTableManager >>>>>>>>>> .java:47) >>>>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>>>>>>>> Method) >>>>>>>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance(Native >>>>>>>>>> ConstructorAccessorImpl.java:57) >>>>>>>>>> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(De >>>>>>>>>> legatingConstructorAccessorImpl.java:45) >>>>>>>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:5 >>>>>>>>>> 26) >>>>>>>>>> at org.springframework.beans.BeanUtils.instantiateClass(BeanUti >>>>>>>>>> ls.java:100) >>>>>>>>>> at org.springframework.beans.factory.support.SimpleInstantiatio >>>>>>>>>> nStrategy.instantiate(SimpleInstantiationStrategy.java:61) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa >>>>>>>>>> pableBeanFactory.instantiateBean(AbstractAutowireCapableBean >>>>>>>>>> Factory.java:877) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa >>>>>>>>>> pableBeanFactory.createBeanInstance(AbstractAutowireCapableB >>>>>>>>>> eanFactory.java:839) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa >>>>>>>>>> pableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFac >>>>>>>>>> tory.java:440) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa >>>>>>>>>> pableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.ja >>>>>>>>>> va:409) >>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa >>>>>>>>>> pableBeanFactory.createBean(AbstractAutowireCapableBeanFacto >>>>>>>>>> ry.java:380) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor >>>>>>>>>> y$1.getObject(AbstractBeanFactory.java:264) >>>>>>>>>> at org.springframework.beans.factory.support.DefaultSingletonBe >>>>>>>>>> anRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor >>>>>>>>>> y.doGetBean(AbstractBeanFactory.java:261) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor >>>>>>>>>> y.getBean(AbstractBeanFactory.java:185) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor >>>>>>>>>> y.getBean(AbstractBeanFactory.java:164) >>>>>>>>>> at org.springframework.beans.factory.support.DefaultListableBea >>>>>>>>>> nFactory.findAutowireCandidates(DefaultListableBeanFactory.j >>>>>>>>>> ava:671) >>>>>>>>>> at org.springframework.beans.factory.support.DefaultListableBea >>>>>>>>>> nFactory.resolveDependency(DefaultListableBeanFactory.java:610) >>>>>>>>>> at org.springframework.beans.factory.annotation.AutowiredAnnota >>>>>>>>>> tionBeanPostProcessor$AutowiredFieldElement.inject(Autowired >>>>>>>>>> AnnotationBeanPostProcessor.java:412) >>>>>>>>>> at org.springframework.beans.factory.annotation.InjectionMetada >>>>>>>>>> ta.injectFields(InjectionMetadata.java:105) >>>>>>>>>> at org.springframework.beans.factory.annotation.AutowiredAnnota >>>>>>>>>> tionBeanPostProcessor.postProcessAfterInstantiation(Autowire >>>>>>>>>> dAnnotationBeanPostProcessor.java:240) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa >>>>>>>>>> pableBeanFactory.populateBean(AbstractAutowireCapableBeanFac >>>>>>>>>> tory.java:959) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa >>>>>>>>>> pableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFac >>>>>>>>>> tory.java:472) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa >>>>>>>>>> pableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.ja >>>>>>>>>> va:409) >>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractAutowireCa >>>>>>>>>> pableBeanFactory.createBean(AbstractAutowireCapableBeanFacto >>>>>>>>>> ry.java:380) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor >>>>>>>>>> y$1.getObject(AbstractBeanFactory.java:264) >>>>>>>>>> at org.springframework.beans.factory.support.DefaultSingletonBe >>>>>>>>>> anRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor >>>>>>>>>> y.doGetBean(AbstractBeanFactory.java:261) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor >>>>>>>>>> y.getBean(AbstractBeanFactory.java:185) >>>>>>>>>> at org.springframework.beans.factory.support.AbstractBeanFactor >>>>>>>>>> y.getBean(AbstractBeanFactory.java:164) >>>>>>>>>> at org.springframework.beans.factory.support.DefaultListableBea >>>>>>>>>> nFactory.preInstantiateSingletons(DefaultListableBeanFactory >>>>>>>>>> .java:429) >>>>>>>>>> at org.springframework.context.support.AbstractApplicationConte >>>>>>>>>> xt.finishBeanFactoryInitialization(AbstractApplicationContex >>>>>>>>>> t.java:728) >>>>>>>>>> at org.springframework.context.support.AbstractApplicationConte >>>>>>>>>> xt.refresh(AbstractApplicationContext.java:380) >>>>>>>>>> at org.springframework.web.context.ContextLoader.createWebAppli >>>>>>>>>> cationContext(ContextLoader.java:255) >>>>>>>>>> at org.springframework.web.context.ContextLoader.initWebApplica >>>>>>>>>> tionContext(ContextLoader.java:199) >>>>>>>>>> at org.springframework.web.context.ContextLoaderListener.contex >>>>>>>>>> tInitialized(ContextLoaderListener.java:45) >>>>>>>>>> at org.eclipse.jetty.server.handler.ContextHandler.callContextI >>>>>>>>>> nitialized(ContextHandler.java:800) >>>>>>>>>> at org.eclipse.jetty.servlet.ServletContextHandler.callContextI >>>>>>>>>> nitialized(ServletContextHandler.java:444) >>>>>>>>>> at org.eclipse.jetty.server.handler.ContextHandler.startContext >>>>>>>>>> (ContextHandler.java:791) >>>>>>>>>> at org.eclipse.jetty.servlet.ServletContextHandler.startContext >>>>>>>>>> (ServletContextHandler.java:294) >>>>>>>>>> at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppCon >>>>>>>>>> text.java:1349) >>>>>>>>>> at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppCo >>>>>>>>>> ntext.java:1342) >>>>>>>>>> at org.eclipse.jetty.server.handler.ContextHandler.doStart(Cont >>>>>>>>>> extHandler.java:741) >>>>>>>>>> at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext >>>>>>>>>> .java:505) >>>>>>>>>> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(Abs >>>>>>>>>> tractLifeCycle.java:68) >>>>>>>>>> at org.eclipse.jetty.deploy.bindings.StandardStarter.processBin >>>>>>>>>> ding(StandardStarter.java:41) >>>>>>>>>> at org.eclipse.jetty.deploy.AppLifeCycle.runBindings(AppLifeCyc >>>>>>>>>> le.java:186) >>>>>>>>>> at org.eclipse.jetty.deploy.DeploymentManager.requestAppGoal(De >>>>>>>>>> ploymentManager.java:498) >>>>>>>>>> at org.eclipse.jetty.deploy.DeploymentManager.addApp(Deployment >>>>>>>>>> Manager.java:146) >>>>>>>>>> at org.eclipse.jetty.deploy.providers.ScanningAppProvider.fileA >>>>>>>>>> dded(ScanningAppProvider.java:180) >>>>>>>>>> at org.eclipse.jetty.deploy.providers.WebAppProvider.fileAdded( >>>>>>>>>> WebAppProvider.java:440) >>>>>>>>>> at org.eclipse.jetty.deploy.providers.ScanningAppProvider$1.fil >>>>>>>>>> eAdded(ScanningAppProvider.java:64) >>>>>>>>>> at org.eclipse.jetty.util.Scanner.reportAddition(Scanner.java:6 >>>>>>>>>> 09) >>>>>>>>>> at org.eclipse.jetty.util.Scanner.reportDifferences(Scanner.jav >>>>>>>>>> a:528) >>>>>>>>>> at org.eclipse.jetty.util.Scanner.scan(Scanner.java:391) >>>>>>>>>> at org.eclipse.jetty.util.Scanner.doStart(Scanner.java:313) >>>>>>>>>> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(Abs >>>>>>>>>> tractLifeCycle.java:68) >>>>>>>>>> at org.eclipse.jetty.deploy.providers.ScanningAppProvider.doSta >>>>>>>>>> rt(ScanningAppProvider.java:150) >>>>>>>>>> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(Abs >>>>>>>>>> tractLifeCycle.java:68) >>>>>>>>>> at org.eclipse.jetty.deploy.DeploymentManager.startAppProvider( >>>>>>>>>> DeploymentManager.java:560) >>>>>>>>>> at org.eclipse.jetty.deploy.DeploymentManager.doStart(Deploymen >>>>>>>>>> tManager.java:235) >>>>>>>>>> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(Abs >>>>>>>>>> tractLifeCycle.java:68) >>>>>>>>>> at org.eclipse.jetty.util.component.ContainerLifeCycle.start(Co >>>>>>>>>> ntainerLifeCycle.java:132) >>>>>>>>>> at org.eclipse.jetty.server.Server.start(Server.java:387) >>>>>>>>>> at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart( >>>>>>>>>> ContainerLifeCycle.java:114) >>>>>>>>>> at org.eclipse.jetty.server.handler.AbstractHandler.doStart(Abs >>>>>>>>>> tractHandler.java:61) >>>>>>>>>> at org.eclipse.jetty.server.Server.doStart(Server.java:354) >>>>>>>>>> at org.eclipse.jetty.util.component.AbstractLifeCycle.start(Abs >>>>>>>>>> tractLifeCycle.java:68) >>>>>>>>>> at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguratio >>>>>>>>>> n.java:1255) >>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>>>> at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration >>>>>>>>>> .java:1174) >>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce >>>>>>>>>> ssorImpl.java:57) >>>>>>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe >>>>>>>>>> thodAccessorImpl.java:43) >>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>>>>>> at org.eclipse.jetty.start.Main.invokeMain(Main.java:321) >>>>>>>>>> at org.eclipse.jetty.start.Main.start(Main.java:817) >>>>>>>>>> at org.eclipse.jetty.start.Main.main(Main.java:112) >>>>>>>>>> Caused by: GSSException: No valid credentials provided (Mechanism >>>>>>>>>> level: Failed to find any Kerberos tgt) >>>>>>>>>> at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5In >>>>>>>>>> itCredential.java:147) >>>>>>>>>> at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement( >>>>>>>>>> Krb5MechFactory.java:121) >>>>>>>>>> at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(K >>>>>>>>>> rb5MechFactory.java:187) >>>>>>>>>> at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSMana >>>>>>>>>> gerImpl.java:223) >>>>>>>>>> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm >>>>>>>>>> pl.java:212) >>>>>>>>>> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm >>>>>>>>>> pl.java:179) >>>>>>>>>> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChalleng >>>>>>>>>> e(GssKrb5Client.java:193) >>>>>>>>>> ... 94 more >>>>>>>>> >>>>>>>>> >>>>>>>>> Appreciated for your advice. >>>>>>>>> Kind Regards, Wenxing >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >