Skip to main content

How to Access Kerberized Hadoop Web UIs Using SPNEGO

By Anonymous
Struggling with delivery, architecture alignment, or platform stability?

I help teams fix systemic engineering issues: processes, architecture, and clarity.
→ See how I work with teams.


Kerberized Hadoop clusters use SPNEGO for browser authentication. To sign into UIs such as NameNode, ResourceManager, Oozie or HiveServer2, your browser must support SPNEGO, your client must have a valid Kerberos ticket and DNS and realm mappings must match. This guide explains how to enable SPNEGO for modern Firefox, Chrome and Edge.

Most Hadoop Web UIs rely on SPNEGO (Simple and Protected GSSAPI Negotiation) to authenticate users through Kerberos. When a browser accesses a Kerberos-protected endpoint such as:

  • http://namenode-host:9870
  • http://rm-host:8088
  • http://oozie-host:11000/oozie

the server expects the browser to negotiate Kerberos credentials automatically. If the browser is not configured correctly, the user will see repeated login prompts or 401: Unauthorized.

Prerequisites

  • You must have a valid Kerberos ticket: 
    kinit your_user@YOUR.REALM
  • DNS and reverse DNS for the Hadoop services must be correct
  • The SPN for the UI must match: HTTP/hostname@REALM
  • The browser must allow SPNEGO negotiation for the target domain

Configuring Modern Firefox

Open about:config and set:

  • network.negotiate-auth.trusted-uris: domains where SPNEGO is allowed namenode.company.com, .company.com
  • network.negotiate-auth.delegation-uris: domains allowed for credential delegation .company.com
  • network.negotiate-auth.allow-non-fqdn: set to false unless explicitly needed

Firefox on Linux and macOS uses the system Kerberos libraries and respects /etc/krb5.conf.

Configuring Chrome or Microsoft Edge (Modern Policy-Based Setup)

Modern Chrome and Edge no longer rely on command-line flags for SPNEGO. Instead, they use enterprise policies.

Linux or macOS: JSON policy files

Create (or update) a file:

/etc/opt/chrome/policies/managed/kerberos.json

with content:

{
  "AuthServerWhitelist": "*.company.com",
  "AuthNegotiateDelegateWhitelist": "*.company.com"
}

Windows: Group Policy Editor

Navigate to:

Computer Configuration →
 Administrative Templates →
 Google →
 Google Chrome →
 Authentication

Set:

  • AuthServerWhitelist = *.company.com
  • AuthNegotiateDelegateWhitelist = *.company.com

Configuring Internet Explorer (Legacy Environments)

  • Ensure “Windows Integrated Authentication” is enabled.
  • Add the Hadoop UI domain to Local Intranet sites.
  • Kerberos will only negotiate automatically for intranet zones.

Common Causes of SPNEGO Failure

  • No valid Kerberos ticket (run kinit)
  • Browser not configured to trust the domain
  • DNS mismatch between hostname and Kerberos principal
  • Clock skew between client and KDC
  • Service principal missing: HTTP/hostname@REALM

When SPNEGO Is Not Required

Modern Hadoop deployments often sit behind Apache Knox, identity-aware proxies or SSO systems. These provide access via:

  • SAML or OIDC (Okta, Azure AD, Auth0)
  • JWT-based authentication
  • Token-based API access

In such cases, browser-side Kerberos configuration is unnecessary.

Related guides:

If you need help with distributed systems, backend engineering, or data platforms, check my Services.

Labels:

Most read articles

Why Is Customer Obsession Disappearing?

By
Many companies trade real customer-obsession for automated, low-empathy support. Through examples from Coinbase, PayPal, GO Telecommunications and AT&T, this article shows how reliance on AI chatbots, outsourced call centers, and KPI-driven workflows erodes trust, NPS and customer retention. It argues that human-centric support—treating support as strategic investment instead of cost—is still a core growth engine in competitive markets. It's wild that even with all the cool tech we've got these days, like AI solving complex equations and doing business across time zones in a flash, so many companies are still struggling with the basics: taking care of their customers. The drama around Coinbase's customer support is a prime example of even tech giants messing up. And it's not just Coinbase — it's a big-picture issue for the whole industry. At some point, the idea of "customer obsession" got replaced with "customer automation," and no...
Read more

How to scale MySQL perfectly

By
When MySQL reaches its limits, scaling cannot rely on hardware alone. This article explains how strategic techniques such as caching, sharding and operational optimisation can drastically reduce load and improve application responsiveness. It outlines how in-memory systems like Redis or Memcached offload repeated reads, how horizontal sharding mechanisms distribute data for massive scale, and how tools such as Vitess, ProxySQL and HAProxy support routing, failover and cluster management. The summary also highlights essential practices including query tuning, indexing, replication and connection management. Together these approaches form a modern DevOps strategy that transforms MySQL from a single bottleneck into a resilient, scalable data layer able to grow with your application. When your MySQL database reaches its performance limits, vertical scaling through hardware upgrades provides a temporary solution. Long-term growth, though, requires a more comprehensive approach. This invo...
Read more

What the Heck is Superposition and Entanglement?

By
This post is about superposition and interference in simple, intuitive terms. It describes how quantum states combine, how probability amplitudes add, and why interference patterns appear in systems such as electrons, photons and waves. The goal is to give a clear, non mathematical understanding of how quantum behavior emerges from the rules of wave functions and measurement. If you’ve ever heard the words superposition or entanglement thrown around in conversations about quantum physics, you may have nodded politely while your brain quietly filed them away in the "too confusing to deal with" folder.  These aren't just theoretical quirks; they're the foundation of mind-bending tech like Google's latest quantum chip, the Willow with its 105 qubits. Superposition challenges our understanding of reality, suggesting that particles don't have definite states until observed. This principle is crucial in quantum technologies, enabling phenomena like quantum comp...
Read more