topic SAS 9.4M2 BI Platform with IWA/Kerberos in Administration and Deployment

SAS 9.4M2 BI Platform with IWA/Kerberos

Lenvdb — Thu, 19 Oct 2017 12:04:20 GMT

Hi All

We have a Clustered Metadata server (3 x Win 2012 R2 VMs) and 2 Compute servers which are Load Balanced.

We want to switch from user login to sso using IWA/Kerberos.

In doing so we discovered that one of our Compute Servers are missing SPNs.

Question: We can manually create the required SPNs, but which SAS Service account is best used for the SPN?

SASINST, SASSRV or SASADM?

And then does it have to be the same service account used for ALL the SPNs on each server. The installers cannot remember how the original SPNs were set up during the initial installation.

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

alexal — Thu, 19 Oct 2017 12:35:31 GMT

@Lenvdb,

How to Configure Integrated Windows Authentication

...

If the metadata server is clustered and runs on Windows, or if your SAS servers are configured using DNS aliases, manually register SPNs. See Manual Registration.

...

Manually Registering Object Spawner SPNs

When using a service level account to run the object spawner service in a SAS Grid environment, you need to configure the default SPNs:

setspn –A SAS/computerNetbios –u domain\ObjectSpawnerServiceAccount
setspn –A SAS/computerFullname –u domain\ObjectSpawnerServiceAccount

In non-grid environments, you can configure custom SPNs, such as the following:

setspn –A SASWS/computerNetbios –u domain\ObjectSpawnerServiceAccount
setspn –A SASWS/computerShortname –u domain\ObjectSpawnerServiceAccount

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Lenvdb — Thu, 19 Oct 2017 12:44:23 GMT

@alexal

Thank you for this. Yes - I saw these instructions. My problem is I am new to this organisation and I was not there when it was installed on the original server, so I have no idea what the correct service account to use would be: SASINST? SASSRV? What I am really asking is if someone here has done this before, which account is recommended? I will most likely need to go and delete/recreate the SPNs previously set up, and document this so they know what I did to install IWA. We do not use Grid. Yet our 1st Compute node was set up as SAS/SASServ1 and not SASWS/SASServ1.

Thank you for your reply.
Much appreciated.

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

alexal — Thu, 19 Oct 2017 13:01:01 GMT

@Lenvdb,

The object spawner is up and running now? Who started it? Most likely SASINST will be the service account. SASSRV is the account that is used for SAS Token Authentication.

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Lenvdb — Thu, 19 Oct 2017 13:08:52 GMT

@alexal

Thanks again for your reply...

I would assume that it is the SASINST account, as it is used for about everything else.

I had a look at the Object Spawners and they seem to run under a Local System Account

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Lenvdb — Thu, 26 Oct 2017 09:02:05 GMT

We have now set up some SPN's on the Compute node which had these missing.

We have a number of users complaining about not getting access to our SAS Metadata using IWA.

We have 3 Metadata Nodes in our cluster:

VM1

VM2 (Master)

VM3

On Node VM1 we regularly get these errors in the Log:

2017-10-26T08:33:00,805 INFO [09550903] :sasinst@xxxxxxxxxxxxxx - Client connection 26275365 for user sasevs@saspw closed.
2017-10-26T08:33:01,805 INFO [09550910] :sasinst@xxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
2017-10-26T08:33:01,805 WARN [09550910] :sasinst@xxxxxxxxx - New client connection (26274325) rejected from server port 8561 for unknown IWA user. Peer IP address and port are [::ffff:10.200.4.96]:63063 for APPNAME=SAS Enterprise Guide.
2017-10-26T08:33:01,805 INFO [09550910] :sasinst@xxxxxxxxxx - Client connection 26274325 closed.
2017-10-26T08:33:01,805 INFO [09418531] :sasinst@xxxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
2017-10-26T08:33:01,805 WARN [09418531] :sasinst@xxxxxxxx - New client connection (26273718) rejected from server port 8561 for unknown IWA user. Peer IP address and port are [::ffff:10.200.4.96]:63062 for APPNAME=SAS Enterprise Guide.
2017-10-26T08:33:01,805 INFO [09418531] :sasinst@xxxxxxxxxxxxx - Client connection 26273718 closed.

These errors do not appear on VM2 or VM3.

What could be the cause for this?

How do we fix it?

I also saw this error in our Event Log on VM1:

Activation context generation failed for "c:\program files\SASHome\sasdeploymentmanager\9.4\products\cfgwizard__94260__prt__xx__sp0__1\utilities\w64\sasshortcutmgr.exe". Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="ia64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762" could not be found. Please use sxstrace.exe for detailed diagnosis.

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

alexal — Thu, 26 Oct 2017 11:14:07 GMT

@Lenvdb,

You have to pay attention to this message in your log:

2017-10-26T08:33:01,805 INFO [09418531] :sasinst@xxxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
What could be the cause for this?

Most likely there was a problem with TCP communication, for an example with DNS server. Are you sure you have no messages such this in the event viewer?

A socket operation was attempted to an unreachable host.

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Lenvdb — Thu, 26 Oct 2017 11:26:33 GMT

@alexal

Hi Alex

Sorry if I was unclear - this WAS the log entry in the event viewer in Windows.

But it only happens on VM1 using IWA, not on VM2 or VM3.

The System Event Viewer shows :

The Security System has received an authentication request that could not be decoded. The request has failed.

At the same time a Log was recorded in SAS Metadata:

2017-10-26T11:37:00,385 INFO [09785175] 26273237:sasinst@xxxxxxxxxxxxxL - Client connection 26273237 for user XSSEXEC@xxxxxxxxxxxxxxxxx closed.
2017-10-26T11:37:06,621 INFO [09785027] :sasinst@xxxxxxxxxxxxxxxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
2017-10-26T11:37:06,621 WARN [09785027] :sasinst@xxxxxxxxxxxxxxxxxxxxx - New client connection (26276397) rejected from server port 8561 for unknown IWA user. Peer IP address and port are [::ffff:10.200.2.22]:61955 for APPNAME=SAS Enterprise Guide.
2017-10-26T11:37:06,621 INFO [09785027] :sasinst@xxxxxxxxxxxx - Client connection 26276397 closed.

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

alexal — Thu, 26 Oct 2017 12:03:07 GMT

@Lenvdb,

The Security System has received an authentication request that could not be decoded. The request has failed.

I suggest contacting Microsoft Technical Support about this problem.