topic Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA in Administration and Deployment

SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

EmmanuelF — Fri, 12 Apr 2019 15:59:49 GMT

HI,

I face an issue trying to set IWA auth for users. IWA is functional for web application, but i'am unable to start workspace via SASStudio application or via EG.

My configuration :

-Middle tier, meta, compute on three separate Linux server (RH)

-Workspace server is bind to an LDAP directory via PAM.

-Kerberos binding to AD is functionnal (other middle tier app starts well with IWA)

As you see below, the kerberos auth and delegation seems ok, but the workspace don't start.

I guess that I face a user mismatch between the AD and the Ldap (users are lowercase in the ldap eg :"albert")

I wonder if there is a way to bind the username returned by the iwa auth with the ldap user as this one is used to launch the workspace.

Or maybe I'am going the wrong way ???

Here is the ObjectSpawer logs (user have been changed)

2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >metaserver< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >bifrmetadev.compagny.fr<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >metaport< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >8561<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >metarepository< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >Foundation<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >locale< (Client requirement)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >fr_FR<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >objectserver< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >objectserverparms< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >protocol=bridge spawned spp=43996 cid=0 dnsmatch=bifrcompdev.agf.fr pb classfactory=440196D4-90F0-11D0-9F41-00A024BB830C server=OMSOBJ:SERVERCOMPONENT/A5MARO40.AY000009 cel=credentials recon<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT - Environment variables are:
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >METAUSER<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >ALBERT @!*(generatedpassworddomain)*!<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >METAPASS<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >********<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT - Obtained krb5 ccache handle: 7fb898021630
2019-04-12T14:27:54,812 DEBUG [00000057] :ALBERT - Freed krb5 ccache handle: 7fb898021630
2019-04-12T14:27:54,813 ERROR [00000057] :ALBERT - Access denied.
2019-04-12T14:27:54,813 ERROR [00000057] :ALBERT - The launch of server SASApp - Workspace Server for user ALBERT failed.

Here is the sasauth-debug.logcat

20190412-14:40:25 Authenticating user ALBERT via GSS
20190412-14:40:25 Context username: ALBERT @GROUPE.COMPAGNY.FR
20190412-14:40:25 Context username length: 24
20190412-14:40:25 Server Name: SAS/bifrcompdev.compagny.fr@GROUPE.COMPAGNY.FR
20190412-14:40:25 Unknown user when getting user attributes.
20190412-14:40:25 User ALBERT did not authenticate. Reason: 'Unspecified reason.' (gss)
20190412-14:40:25 Request failed: 'User did not authenticate.'

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

alexal — Fri, 12 Apr 2019 16:20:12 GMT

@EmmanuelF ,

Are you sure that a command shown below returns something?

getent passwd ALBERT

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

EmmanuelF — Fri, 12 Apr 2019 19:47:21 GMT

Hello alexal,

getent passwd ALBERT return nothing

but

getent passwd albert return :

albert:*:24242:20000:albert:/net/home/albert:/usr/bin/ksh

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

alexal — Sat, 13 Apr 2019 01:30:30 GMT

@EmmanuelF ,

What are you using for the authentication on the system level? SSSD or something else?

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

EmmanuelF — Mon, 15 Apr 2019 15:36:16 GMT

@alexal

Yes SSSD in use.

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

alexal — Mon, 15 Apr 2019 16:29:10 GMT

@EmmanuelF ,

You need to configure case insensitive usernames in SSSD. Look for case_sensitive in sssd.conf or talk to your Linux Administrator. Commands like "getent passwd ALBERT" or "getent passwd albert" have to return the same output.

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

EmmanuelF — Wed, 17 Apr 2019 07:52:35 GMT

@alexal

Hello.

Great ! That solved the issue.

Thank you very much for your help

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

alexal — Wed, 17 Apr 2019 12:08:17 GMT

@EmmanuelF ,

You are welcome. I'm glad that the problem has been resolved.