topic Re: SAS windows Kerberos in Administration and Deployment

SAS windows Kerberos

Rveerepalli — Fri, 03 Apr 2020 13:45:13 GMT

Hi All,

I am using SAS on windows (9.4 M6) and connecting to Hadoop. My windows PC is on a different domain compared to Hadoop. I generated Kerberos ticket and it works for ODBC connection to Hadoop and also works on Java applications. My KRB5CCNAME environment variable resolves properly on SAS. However, when I run libname statement in SAS, it is trying to connect to use my windows realm ticket (rather than using ticket for Hadoop realm). Is there any change that I am missing to do in configuration?

Re: SAS windows Kerberos

AnandVyas — Fri, 03 Apr 2020 14:09:31 GMT

Where is krb5.conf file located in your environment?
When you SAS Session is spawned using any client, how does it generate the krb ticket?

Re: SAS windows Kerberos

Rveerepalli — Fri, 03 Apr 2020 14:21:02 GMT

Added the below two Java security settings to the SAS config file
-Djava.security.krb5.conf=C:\Hadoop\Kerberos\krb5.ini
-Djavax.security.auth.useSubjectCredsOnly=false

Also ticket is pre-generated at login by MIT Kerberos application

Re: SAS windows Kerberos

AnandVyas — Fri, 03 Apr 2020 15:30:24 GMT

Can you run klist on the ticket generated and resolved for the KRB5CCNAME ENV variable to see if it's of the Hadoop realm or windows?
And when you say you have generated ticket and was able to make ODBC connection to Hadoop, that is using tools outside of SAS?

Re: SAS windows Kerberos

PrathmeshX — Tue, 15 Apr 2025 10:50:03 GMT

Hello Rveerepalli,

so from your post I'm assuming you had completed the SSO implementation.

I'm new to SAS Administration and have recently completed a SAS 9.4 M6 installation on our internal Demo Server(Windows).

I've now been assigned the task of implementing Single Sign-On (SSO) using Integrated Windows Authentication (IWA) with Kerberos, following the guidance provided in the SAS documentation:

Support for Integrated Windows Authentication
https://documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1871e69gmwdr0n1o182krslc10p.htm

I've obtained the keytab file from our IT team. However, when testing the keytab using the kinit command to generate a Kerberos ticket, I encountered issues.

Here’s the command I ran:

CopyEdit

kinit -V -k -t D:/keytab/12apr/saskeytab_WD.keytab -J-Djava.security.krb5.conf=E:\SASConfig\Lev1\Web\WebAppServer\SASServer1_1\conf\krb5.ini HTTP/otsisasnode.ex.com@EX.COM

I get the error -

Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

Something related to the ticket encryption used is causing the problem.

Can you please give some pointers to resolve the issue so that atleast I can generate the ticket using the keytab for test run before moving to further steps.

Content of file (krb5.ini):
[libdefaults]
default_realm = EX.COM
forwardable = true
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
permitted_enctypes = aes256-cts

[realms]
EX.COM = {
kdc = dc16.ex.com
}

[domain_realm]
ex.com = EX.COM
.ex.com = EX.COM

Re: SAS windows Kerberos

gwootton — Mon, 21 Apr 2025 18:36:42 GMT

Remove the -V option from your kinit command, that option is not valid on Windows.

Re: SAS windows Kerberos

mkiran — Mon, 21 Apr 2025 18:53:40 GMT

It could be related to the active directory too. Its worth to check below...

What account did you use to create the HTTP SPN? (verify your SPN creation command something like this "setspn -s HTTP/<servername> <DOMAIN>\<username>")

look for the username in AD and enable aes256 encryption under the account/options tab.

Re: SAS windows Kerberos

PrathmeshX — Thu, 05 Jun 2025 06:18:30 GMT

Thanks for the Suggestion,

The actual problem lied in the encryption option of the user in the AD server,

Enabled the encryption to aes256 and aes128 which is commonly used in the ticket generation using the keytab file.

After this changes, I was able to generate the ticket with the new keytab file from the AD Admin.