topic Re: Integrated windows authentication failed in Administration and Deployment

Integrated windows authentication failed

RupaJ — Fri, 14 Sep 2018 16:58:47 GMT

Hello Forum,

I am trying to set up IWA for the desktop clients(windows). Now my metadata /midtier and compute are on RHEL 7 servers. Meta and Midtier are on one machine, with compute on another server. SAS 9.4M5 is installed btw.

Now I have completed the prerequisites for setting up IWA which are

Unix host joining the AD

Creating the service account , UPN,SPN

Generating the keytab file.

Adding the KRB5_KTNAME env variable and restart the services.

After completing all the above, I tried testing if the IWA is working.

Checked the Integrated windows authentication checkbox. In the advanced setting security package is "Negiciate:, SPN is the custom SPN that we have and Security Package list is "Kerberos,NTLN".

I have the same thing mentinoed above for the workspace server properties too.

Now I am able to connect to the SAS Enterprise guide with the profile , however my workspace server validation is failing with below error.

[9/14/18 11:35 AM] INFO: Starting extended validation for Workspace server (level 1) - Making a connection
[9/14/18 11:35 AM] SEVERE: Access denied.
[9/14/18 11:35 AM] SEVERE: The launch of server SASApp - Workspace Server for user failed.
[9/14/18 11:35 AM] SEVERE: The application could not log on to the server "sastest.local:8591". Integrated Windows authentication failed.

This is what I see in the objectspawner logs.

2018-09-14T11:35:10,227 WARN [00024804] : user- The destination buffer size was not sufficient for the requested password.
2018-09-14T11:35:10,228 ERROR [00024804] :user - Access denied.
2018-09-14T11:35:10,228 ERROR [00024804] :user - The launch of server SASApp - Workspace Server for user failed.

Note - I have removed user and server names.

Now regarding the SPN, I have a question. How do I create a default SPN? My IT guy has created xyz as service account and created XYZ/sasmeta.local , XYZ/sastest.local , XYZ/sasmeta and XYZ/sastest as SPNs (both FQDN and shortnames). However I need to give SPN as "XYZ/sasmeta.local in order to connect to SASEG. It is not connecting if I leave the SPN blank when I connect to SASEG.

So 2 questions

Why I am getting that error when I am trying to validate the workspace server?

Default SPN -- How to create?

Thank you!!!

Re: Integrated windows authentication failed

alexal — Fri, 14 Sep 2018 17:08:56 GMT

@RupaJ,

How do I create a default SPN?

Registering SPNs. The client must know the server's service principal name (SPN). In a standard configuration, this is transparent. Clients expect (and know how to construct) a default SPN in the format SAS/machine (for example, SAS/machineA.na.company.com), so you do not have to explicitly provide the SPN.

Audit.Authentication logger should help with debugging GSSAPI, please add this XML to metadata/object spawner logging configuration (do not forget to restart metadata/object spawner after that):

 <logger name="Audit.Authentication">
        <level value="Trace"/>
  </logger>

Re: Integrated windows authentication failed

RupaJ — Fri, 14 Sep 2018 18:38:17 GMT

hello @alexal

Thanks for the response. What do you mean "standard configuration"? Could you clarify. How should the default SPN be created? Any commands will be helpful.

Thanks

Re: Integrated windows authentication failed

RupaJ — Sat, 15 Sep 2018 11:24:18 GMT

Looks like I did not enable -SSPI option to launch object spawner. How do I do that? I was thinking the default is with -sspi. However after 9.4 releases, looks like default is -nosspi.

Re: Integrated windows authentication failed

RupaJ — Mon, 17 Sep 2018 11:35:32 GMT

In response to the -SSPI option, I checked the object spawner startup script and it does have the -SSPI option. I guess only on windows the default is to start with -nosspi :-(. So that is ruled out too.

Any help on this would be great. Thanks!

Re: Integrated windows authentication failed

PaulHomes — Tue, 18 Sep 2018 01:21:05 GMT

As @alexal mentioned you should be able to configure the server so you don't need to specify any extra details on the client other than the basic host name, port and to use IWA. SPNs should be added in AD so the client user doesn't have to worry about them.

Just so you know I get that warning message in my Linux + IWA lab environment when IWA connection is successful:

2018-09-18T10:48:43,814 INFO  [00689123] :paul - New client connection (57834) accepted from server port 8591 for IWA user paul. Encryption level is Credentials using encryption algorithm AES.  Peer IP address and port are [192.168.2.101]:52435 for APPNAME=SAS Enterprise Guide.
2018-09-18T10:48:43,859 WARN  [00689123] :paul - The destination buffer size was not sufficient for the requested password.
2018-09-18T10:48:43,884 INFO  [00689123] :paul - Created process 14210 using credentials paul (child id 94).
2018-09-18T10:48:44,490 INFO  [00689130] :sas - New out call client connection (57848) for launched server (child 94).  Peer IP address and port are [192.168.2.27]:54050.
2018-09-18T10:48:44,497 INFO  [00689130] :sas - Client connection 57834 for user paul closed.
2018-09-18T10:49:41,026 INFO  [00000009] :sas - Client connection 57848 for user paul closed.
2018-09-18T10:49:41,152 INFO  [00689122] :sas - Process 14210 owned by user paul (child id 94) has ended.

I don't know why I am getting that buffer size warning but it does not seem to have any obvious impact. If anyone else knows how to get rid of it I'd be keen to hear. 🙂

So I think you need to focus on that "Access denied" error. Have you added the Audit.Authentication trace level logging for the object spawner as @alexal suggested?

Re: Integrated windows authentication failed

alexal — Tue, 18 Sep 2018 11:25:46 GMT

Also, enable sasauth-debug on compute tier.

Re: Integrated windows authentication failed

RupaJ — Tue, 18 Sep 2018 11:59:29 GMT

Yes,I did enable the below in the object spawner and restarted services. However don't see any new log messages apart from what I saw before.

<logger name="Audit.Authentication">
        <level value="Trace"/>
  </logger>

Re: Integrated windows authentication failed

alexal — Tue, 18 Sep 2018 12:01:03 GMT

Where did you add these lines?

Re: Integrated windows authentication failed

RupaJ — Tue, 18 Sep 2018 12:02:04 GMT

@alexal - Yes, PROC PERMTEST went successful for my login.

Re: Integrated windows authentication failed

RupaJ — Tue, 18 Sep 2018 12:08:22 GMT

In logconfig.xml file in the path /opt/sas/config/Lev1/ObjectSpawner.

Re: Integrated windows authentication failed

alexal — Tue, 18 Sep 2018 12:12:05 GMT

That is correct file unless object spawner is using another in logconfigloc. You do not need to run PROC PERMTEST, just enable sasauth-debug and restart the spawner. What you will see in the sasauth-debug log when the IWA/GSSAPI authentication fails?

Re: Integrated windows authentication failed

RupaJ — Tue, 18 Sep 2018 16:07:57 GMT

Hello @alexal,

Looks like the GSS libraries are missing. What libraries shoudl I install?

20180918-08:12:41 Initializing gss

20180918-08:12:41 Attempting to load GSSAPI library: libvas-gssapi.so

20180918-08:12:41 Attempting to load GSSAPI library: /opt/quest/lib64/libvas-gssapi.so

20180918-08:12:41 Attempting to load GSSAPI library: libgssapi_krb5.so

20180918-08:12:41 Attempting to load GSSAPI library: libgssapi.so

20180918-08:12:41 Attempting to load GSSAPI library: libgss.so

20180918-08:12:41 Could not load a GSSAPI library.

20180918-08:12:41 Could not initialize authentication method gss

20180918-08:12:41 GSS could not be loaded.

20180918-08:12:41 Using maxtries: 5

20180918-08:12:41 Using maxtries period: 60

20180918-08:12:41 Using maxtries wait: 300

20180918-08:12:41 GSS is not available to process authenticate request.

20180918-08:12:41 Request failed: 'GSS is not available.'

Thanks for your response!

Re: Integrated windows authentication failed

alexal — Tue, 18 Sep 2018 18:48:16 GMT

@RupaJ,

As I responded to you in the technical support track, it appears you do not have any GSSAPI libraries installed on the system. What are you using for authentication? SSSD or something else? If SSSD, then you have to install sssd-krb5-common. If something else, then you have to adjust LD_LIBRARY_PATH.

Re: Integrated windows authentication failed

PaulHomes — Wed, 19 Sep 2018 00:02:16 GMT

As @alexal suggested, installing sssd-krb5-common will pull in additional packages including the standard open source GSSAPI libraries.

In terms of specific packages, in my environment /usr/lib64/libgssapi_krb5.so is a symlink (provided by the package krb5-devel) to libgssapi_krb5.so.2.2 (provided by the package krb5-libs). The krb5-libs package is one of the dependencies of sssd-krb5-common.

A while ago I was having trouble with a missing /usr/lib64/libgssapi_krb5.so -> libgssapi_krb5.so.2.2 symlink so created it manually. Later on I found that the krb5-devel package provides it.

I only use realmd to provide the basic setup for IWA on Linux now as I find it makes it significantly easier: https://platformadmin.com/blogs/paul/2015/07/active-directory-authentication-for-sas-on-linux-with-realmd/ (I just updated the blog post to add a note about krb5-devel)

Re: Integrated windows authentication failed

RupaJ — Wed, 19 Sep 2018 09:55:37 GMT

Thanks @PaulHomes and @alexal!

We have centrify that authenticates the users. Would sssd-krb5-common package still be the one that will make it work?

Re: Integrated windows authentication failed

alexal — Wed, 19 Sep 2018 12:08:57 GMT

@RupaJ,

If you are using Centrify, you can resolve the problem just by adding /usr/share/centrifydc/kerberos/lib64/ to the LD_LIBRARY_PATH. Also, if you do not want to change LD_LIBRARY_PATH, you can create symlinks for these files in /lib64/.

/usr/share/centrifydc/kerberos/lib64/libgssapi_krb5.so
/usr/share/centrifydc/kerberos/lib64/libgssapi_krb5.so.2
/usr/share/centrifydc/kerberos/lib64/libgssapi_krb5.so.2.2

Re: Integrated windows authentication failed

alexal — Wed, 19 Sep 2018 18:56:31 GMT

I just want to say that the problem has been resolved. We have linked SAS to specific GSSAPI modules, changed a few settings in sasauth.conf, and the workspace server.

Re: Integrated windows authentication failed

RupaJ — Mon, 24 Sep 2018 20:18:55 GMT

Thanks so much @alexal for your time!

Just to elaborate on what was done. I was waiting to understand few things. So the delay.

1) Create the symlinks for the GSSAPI libraries on the compute server.

ln -s /lib64/libgssapi_krb5.so.2.2 /lib64/libgssapi_krb5.so

2) Add the enviornment variable in the file level_env_usermods.sh in the path /opt/sas/config/Lev1/ on the compute server

export TKSECURE_GSSAPI_LIBRARY=/lib64/libgssapi_krb5.so.2.2

3) Add the below in the file /opt/sas/sashome/SASFoundation/9.4/utilities/bin/sasauth.conf on the compute server.

gssLibrary=/lib64/libgssapi_krb5.so.2.2

4) Add the below script to /opt/sas/config/Lev1/SASApp/WorkspaceServer_usermods.sh

workspace_user=$(whoami)
workspace_user_ccaches=$(find /tmp -maxdepth 1 -user ${workspace_user} -type f -name "krb5cc_*" -printf '%T@ %p\n' | sort -k 1nr | sed 's/^[^ ]* //' | head -n 1)
 
if test ! -z "$workspace_user_ccaches"; then
            echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."
            echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"
            export KRB5CCNAME=$workspace_user_ccaches
            echo "KRB5CCNAME has been set to ${KRB5CCNAME}."
else
            echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."
fi

I wish SAS documentation is modified to add these steps. It will save so much time. I hope this is useful for someone trying to configure SSO with centrify,