Github user ChrisMcVey commented on the issue: https://github.com/apache/zeppelin/pull/986 Well through some more testing, I've found that it it will accept logins as _either_ the userPrincipalName (without the realm) _or_ the sAMAccountName. This true if the principal suffix is NOT set in shiro. I.E. If the object has these two defined in AD: sAMAccountName=userexample userPrincipalName=userex/hostname1.domain....@realm.com AND shiro.ini does not have the principal suffix: #activeDirectoryRealm.principalSuffix = @REALM.COM Then I am able to login to the UI with either userexample or userex/hostname1.domain.com as the username. If the principal suffix is enabled: activeDirectoryRealm.principalSuffix = @REALM.COM Then, I cannot login to the UI with any form of userex/hostname1.domain.com but I can login with userexample. Logging in with userexample is useless because userexam...@realm.com will not be found for group mappings by the UPN search filter. Adding all this for clarity... Zeppelin ActiveDirectoryGroupRealm does not explicity authentication the user using sAMAccountName but it does permit it. It will also accept UPN. In most cases, these match. In some cases, they may not. The more I look at this, it is becoming apparent that as an AD provider and not an LDAP provider, they are assuming that running ktpass for a keytab as we have done is not a valid user for this provider. Hopefully, this info is at least helpful if someone else has this same odd config!
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---