https://communities.sas.com/t5/Administration-and-Deployment/Windows-Hello-certificate-based-authentication-for-SAS94/m-p/937228#M28780 <P>Hello&nbsp;<a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/440477">@Acf2</a>,</P> <P>&nbsp;</P> <P>Windows Hello is just a MFA/Single Sign-On system in the Windows ecosystem, for your client machines.</P> <P>In SAS 9.4, the main and supported SSO method (specially on windows) is Kerberos/IWA/NTLM.&nbsp;</P> <P>&nbsp;</P> <P>Since Kerberos is a requirement in Windows Hello, for as long as you configure Kerberos/IWA in SAS, SAS will have no trouble with the Authentication Method in your clients machines. The servers on Windows and SAS are able to pickup the Kerberos TGT ticket.</P> <P>&nbsp;</P> <P><A href="https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust" target="_blank">https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust</A></P> Fri, 26 Jul 2024 11:06:42 GMT JuanS_OCS 2024-07-26T11:06:42Z https://communities.sas.com/t5/Administration-and-Deployment/Windows-Hello-certificate-based-authentication-for-SAS94/m-p/937151#M28768 <P>Our organisation wants to replace Active Directory domain userid and password with Windows Hello. Can the SAS94 authentication provider on Windows Server 2019 be configured for Single Signon using the with this mechanism?&nbsp;&nbsp;</P> <P>Some concepts here :&nbsp;<A href="https://www.microsoft.com/insidetrack/blog/implementing-strong-user-authentication-with-windows-hello-for-business/" target="_blank">Implementing strong user authentication with Windows Hello for Business (microsoft.com)</A></P> Thu, 25 Jul 2024 16:55:24 GMT https://communities.sas.com/t5/Administration-and-Deployment/Windows-Hello-certificate-based-authentication-for-SAS94/m-p/937151#M28768 Acf2 2024-07-25T16:55:24Z https://communities.sas.com/t5/Administration-and-Deployment/Windows-Hello-certificate-based-authentication-for-SAS94/m-p/937175#M28775 <P>This looks to me like a form of two-factor authentication. If this is just another step to getting you logged onto your computer via an AD account then SAS should be fine. If you no longer have an AD account, then this is absolutely problematic.&nbsp;You need to have an Active Directory account to connect to remote SAS servers for example.&nbsp;</P> Thu, 25 Jul 2024 23:38:45 GMT https://communities.sas.com/t5/Administration-and-Deployment/Windows-Hello-certificate-based-authentication-for-SAS94/m-p/937175#M28775 SASKiwi 2024-07-25T23:38:45Z https://communities.sas.com/t5/Administration-and-Deployment/Windows-Hello-certificate-based-authentication-for-SAS94/m-p/937228#M28780 <P>Hello&nbsp;<a href="https://communities.sas.com/t5/user/viewprofilepage/user-id/440477">@Acf2</a>,</P> <P>&nbsp;</P> <P>Windows Hello is just a MFA/Single Sign-On system in the Windows ecosystem, for your client machines.</P> <P>In SAS 9.4, the main and supported SSO method (specially on windows) is Kerberos/IWA/NTLM.&nbsp;</P> <P>&nbsp;</P> <P>Since Kerberos is a requirement in Windows Hello, for as long as you configure Kerberos/IWA in SAS, SAS will have no trouble with the Authentication Method in your clients machines. The servers on Windows and SAS are able to pickup the Kerberos TGT ticket.</P> <P>&nbsp;</P> <P><A href="https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust" target="_blank">https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust</A></P> Fri, 26 Jul 2024 11:06:42 GMT https://communities.sas.com/t5/Administration-and-Deployment/Windows-Hello-certificate-based-authentication-for-SAS94/m-p/937228#M28780 JuanS_OCS 2024-07-26T11:06:42Z https://communities.sas.com/t5/Administration-and-Deployment/Windows-Hello-certificate-based-authentication-for-SAS94/m-p/937241#M28781 Thanks for the response. It looked like it was possible and I hope my organisation is prepared to support Kerberos/IWA/NTLM. For once, there is some budget.... Fri, 26 Jul 2024 12:51:06 GMT https://communities.sas.com/t5/Administration-and-Deployment/Windows-Hello-certificate-based-authentication-for-SAS94/m-p/937241#M28781 Acf2 2024-07-26T12:51:06Z https://communities.sas.com/t5/Administration-and-Deployment/Windows-Hello-certificate-based-authentication-for-SAS94/m-p/937245#M28783 <P>Thanks.<BR />I have been asked for an initial assessment and don't have many details yet. Since a lot of workload is moving from on-prem servers to Azure, I am assuming Azure Active Directory will replace our local domain controllers. SAS94 will stay local for at least the next 2 years.</P> <P>&nbsp;</P> Fri, 26 Jul 2024 13:02:11 GMT https://communities.sas.com/t5/Administration-and-Deployment/Windows-Hello-certificate-based-authentication-for-SAS94/m-p/937245#M28783 Acf2 2024-07-26T13:02:11Z