https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925435#M28421 Aha I was hoping you would reply <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> we are not opting for the MIT KDC setup, instead going this route of updating WIN registry, per Stuart's article (M2). I was looking at Cloudera's JDBC Hive driver and its manual, even they mention setting up separate MIT KDC and to get file based ticket and KRB5CCNAME setup. Is there a way to figure out to get the memory value just so the ticket could be validated? Like one could put for KRB5CCNAME? Since I have your attention, por favor, I was unclear if I needed to set JAAS config if I am going with memory setup?<BR /><BR />Much thanks for your input and time! Tue, 23 Apr 2024 19:11:15 GMT shoin 2024-04-23T19:11:15Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925262#M28411 <P>SAS 9.4 M8 WIN 2022 server ACCESS/Hadoop</P> <P>&nbsp;</P> <P>There is an article by the Guru Stuart Rogers RE. Hadoop Deployment - Kerberos and I am looking for some further clarifications:</P> <P>1. For WIN environment, if separate MIT KDC setup is not an option, will WIN registry update still work "REG_DWORD key AllowTgtSessionKey registry key" ?</P> <P>2. There is a script SAS provides (SAS TS) for Linux that could be placed in WorkspaceServer_usermods.sh where TGT is searched for the user that started the session, should that be done for SAS WIN based work space server too?</P> <P>3. There is a requirement for Java Unlimited strength policy files, with SAS using Zulu (Azul) JRE, does anyone know the download URL or is it now packaged automatically with new SAS bundled JREs?</P> <P>&nbsp;</P> <P>Thank you in advance,</P> <P>&nbsp;</P> <P>S</P> <P>&nbsp;</P> Mon, 22 Apr 2024 18:57:50 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925262#M28411 shoin 2024-04-22T18:57:50Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925276#M28412 Here's the relevant documentation on this:<BR /><BR />Configuring Client Machines to Use Integrated Windows Authentication<BR /><A href="https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n1ocmfw9o3fbmhn1p3jb4y5py6ci.htm#n0r9447nh9jltzn1txvxk10qc8h9" target="_blank">https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n1ocmfw9o3fbmhn1p3jb4y5py6ci.htm#n0r9447nh9jltzn1txvxk10qc8h9</A><BR /><BR />This has a link to the cryptographic extensions and discusses the registry key. You would not need to set up a script to search for your TGT in Windows as the key is stored in memory. Mon, 22 Apr 2024 19:45:25 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925276#M28412 gwootton 2024-04-22T19:45:25Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925435#M28421 Aha I was hoping you would reply <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> we are not opting for the MIT KDC setup, instead going this route of updating WIN registry, per Stuart's article (M2). I was looking at Cloudera's JDBC Hive driver and its manual, even they mention setting up separate MIT KDC and to get file based ticket and KRB5CCNAME setup. Is there a way to figure out to get the memory value just so the ticket could be validated? Like one could put for KRB5CCNAME? Since I have your attention, por favor, I was unclear if I needed to set JAAS config if I am going with memory setup?<BR /><BR />Much thanks for your input and time! Tue, 23 Apr 2024 19:11:15 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925435#M28421 shoin 2024-04-23T19:11:15Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925445#M28422 Is this the article from Stuart Rogers you're referencing?<BR /><BR />SAS® 9.4 on Microsoft Windows: Unleashing Kerberos on Apache Hadoop<BR /><A href="https://support.sas.com/resources/papers/proceedings18/1878-2018.pdf" target="_blank">https://support.sas.com/resources/papers/proceedings18/1878-2018.pdf</A><BR /><BR />The "MICROSOFT WINDOWS CHALLENGES" section I believe is what we're referencing.<BR /><BR />I don't think you need to set anything in KRB5CCNAME, this is all handled by the Windows kerberos libraries. <BR /><BR />I believe the configuration of IWA using jaas.config would be the same.<BR /><BR />From the document, the registry key setting is what let's the Java process spawned by the Workspace Server access the in memory token when it does not use the GSS-API.<BR /><BR />From this documentation from Microsoft, the AllowTgtSessionKey registry entry is not enabled if UAC is turned on, which seems to be a progression from what Stuart described in his paper:<BR /><BR />"With active Credential Guard in Windows 10 and later versions of Windows, you can't enable sharing the TGT session keys with applications anymore."<BR /><A href="https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys" target="_blank">https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys</A><BR /><BR />Microsoft Windows Defender Credential Guard<BR /><A href="https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n1b9dyri8d3laxn1vam7bhew73cu.htm" target="_blank">https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n1b9dyri8d3laxn1vam7bhew73cu.htm</A><BR /><BR /><BR /><BR /> Tue, 23 Apr 2024 19:57:33 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925445#M28422 gwootton 2024-04-23T19:57:33Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925620#M28432 <P>Much thanks, I think at this stage I am attempting to set kerberos outbound only.<BR />1. Asked for uncontrained trusted for delegation<BR />2. Found this linek for unlimited JCE <A href="https://support.azul.com/hc/en-us/articles/115001122623-Java-Cryptography-Extension-JCE-for-Azul-Zulu-and-Azul-Zing?input_string=jce+unlimited+strength+jurisdiction+policy+files" target="_blank">https://support.azul.com/hc/en-us/articles/115001122623-Java-Cryptography-Extension-JCE-for-Azul-Zulu-and-Azul-Zing?input_string=jce+unlimited+strength+jurisdiction+policy+files</A>&nbsp; looks like do not need to download and provide.<BR />3. Will ask to review the URLs you shared re. WIN specific issues</P> <P><BR />Greg, I did run klist on sas server and received output, however, when I did that from klist in SAS private JRE location I received the "<STRONG>credentials cache&nbsp; C:\Users\my-id\krb5ccname_my-id not found</STRONG>&nbsp;I have not enabled desktop IWA yet nor did the jaas.config implemented, would that be the issue? I did have the AllowTgtSessionKey set.</P> <P>I do appreciate these insights!</P> Wed, 24 Apr 2024 18:12:26 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925620#M28432 shoin 2024-04-24T18:12:26Z https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925643#M28436 You might need to run kinit from that same path for klist to produce results. Wed, 24 Apr 2024 19:32:03 GMT https://communities.sas.com/t5/Administration-and-Deployment/SAS-Hadoop-Connection-Kerberos-Question/m-p/925643#M28436 gwootton 2024-04-24T19:32:03Z