You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This article provides answers to some of the most common questions about how to run [Azure HDInsight](https://azure.microsoft.com/services/hdinsight/).
@@ -180,13 +180,40 @@ sections:
180
180
Create a Kerberos keytab for your domain username. You can later use this keytab to authenticate to remote domain-joined clusters without entering a password. The domain name is uppercase:
When is salting required for AES256 encryption when creating the keytab?
193
+
answer: |
194
+
If your TenantName & DomainName are different (example TenantName – [email protected] & DomainName – [email protected]), you need to add a SALT value using the -s option.
195
+
196
+
- question: |
197
+
How do I determine the proper SALT value?
198
+
answer: |
199
+
1. Use an interactive Kerberos login to determine the proper salt value for the keytab. Interactive Kerberos login will use the highest encryption by default. Tracing should be enabled to observe the salt. Below is a sample Kerberos login:
200
+
201
+
```shell
202
+
203
+
$ KRB5_TRAACE=/dev/stdout kinit <username> -V
204
+
```
205
+
2. Look through the output for the salt "......." line.
Can I use an existing Azure Active Directory tenant to create an HDInsight cluster that has the ESP?
192
219
answer: |
@@ -195,7 +222,7 @@ sections:
195
222
To join VMs to a domain, you must have a domain controller. Azure AD DS is the managed domain controller, and is considered an extension of Azure Active Directory. Azure AD DS provides all the Kerberos requirements to build a secure Hadoop cluster in a managed way. HDInsight as a managed service integrates with Azure AD DS to provide security.
196
223
197
224
- question: |
198
-
Can I use a self-signed certificate in an AAD-DS secure LDAP setup and provision an ESP cluster?
225
+
Can I use a self-signed certificate in an Azure AD-DS secure LDAP setup and provision an ESP cluster?
199
226
answer: |
200
227
Using a certificate issued by a certificate authority is recommended. But using a self-signed certificate is also supported on ESP. For more information, see:
201
228
@@ -204,7 +231,7 @@ sections:
204
231
- [Tutorial: Configure secure LDAP for an Azure Active Directory Domain Services managed domain](../active-directory-domain-services/tutorial-configure-ldaps.md)
205
232
206
233
- question: |
207
-
Can I install Data Analytics Studio (DAS) an an ESP cluster?
234
+
Can I install Data Analytics Studio (DAS) as an ESP cluster?
208
235
answer: |
209
236
No, DAS is not supported on ESP clusters.
210
237
@@ -239,7 +266,7 @@ sections:
239
266
LLAP is enabled for security reasons (Apache Ranger), not performance. Use larger node VMs to accommodate for the resource usage of LLAP (for example, minimum D13V2).
240
267
241
268
- question: |
242
-
How can I add additional AAD groups after creating an ESP cluster?
269
+
How can I add additional Azure AD groups after creating an ESP cluster?
243
270
answer: |
244
271
There are two ways to achieve this goal:
245
272
1- You can recreate the cluster and add the additional group at the time of cluster creation. If you're using scoped synchronization in AAD-DS, make sure group B is included in the scoped synchronization.
@@ -333,7 +360,7 @@ sections:
333
360
- question: |
334
361
How do I retrieve the configuration details from HDI cluster by using an Azure Active Directory user?
335
362
answer: |
336
-
To negotiate proper authentication tokens with your AAD user, go through the gateway by using the following format:
363
+
To negotiate proper authentication tokens with your Azure AD user, go through the gateway by using the following format:
0 commit comments