By default, the service field of a delegation token is populated based on server IP address. Setting hadoop.security.token.service.use_ip to false changes this behavior to use host name instead of IP address. However, this configuration property is not read from job.xml. Instead, it's read from a separate Configuration instance created during static initialization of SecurityUtil. This does not work correctly with MapReduce jobs if the framework is distributed by setting mapreduce.application.framework.path and the mapreduce.application.classpath is isolated to avoid reading core-site.xml from the cluster nodes. MapReduce tasks will fail to authenticate to HDFS, because they'll try to find a delegation token based on the NameNode IP address, even though at job submission time the tokens were generated using the host name.