topic Re: Integrated Windows Authentication in the Middle Tier in Administration and Deployment

Integrated Windows Authentication in the Middle Tier

kumarsandip975 — Tue, 18 Nov 2025 21:24:58 GMT

I am working on setting up Integrated Windows Authentication (IWA) for SAS Studio and related web applications. Before proceeding further, I would like to confirm some prerequisites regarding SPNs and delegation configuration in Active Directory.

Current Architecture

SAS 9.4 M8 hosted on Windows
Metadata Server – Machine1
Mid-tier – Machine2
Compute Server 1 – Machine3
Compute Server 2 – Machine4

Service Accounts

We plan to use three separate domain service accounts for SAS services:

ACCOUNT1_META – Runs SAS Metadata Server service
ACCOUNT2_MID – Runs SASServer1_1 (WebAppServer) service
ACCOUNT3_COMP – Runs Object Spawner (SASApp) service on both compute machines

SPNs Registered

Below are the SPNs currently registered:

ACCOUNT1_META

SAS/aSASSTU-met.XXX.xx
SAS/aSASSTU-met

ACCOUNT2_MID

HTTP/aSASSTU-mid.XXX.xx
HTTP/aSASSTU-mid

ACCOUNT3_COMP

SAS/aSASSTU-comp.XXX.xx
SAS/aSASSTU-comp

Clarification Needed

Since our deployment spans multiple machines, is it acceptable to use different service accounts and register SPNs only for their respective hosts? Specifically:

Will the mid-tier be able to interact with the metadata and compute tiers without SPNs registered for those hosts under the mid-tier account?
Or do we need additional SPNs or delegation settings to ensure proper Kerberos authentication and identity propagation?

Your guidance on best practices for SPN registration and delegation in this multi-tier SAS environment would be greatly appreciated.

Re: Integrated Windows Authentication in the Middle Tier

LinusH — Wed, 19 Nov 2025 09:39:41 GMT

We have also three separate accounts.

And we have implemented AllowToDelegateTo:

mid tier SPN:
- it's own host
- compute host
compute SPN:
- it's own host
- http to mid-tier
- Any external databases you wish to sso to

Re: Integrated Windows Authentication in the Middle Tier

kumarsandip975 — Wed, 19 Nov 2025 10:38:21 GMT

@LinusH do you mean this delegation
Midtier account should delegate to midtier host as well compute host? and compute account to own and http as well?

Re: Integrated Windows Authentication in the Middle Tier

kumarsandip975 — Wed, 19 Nov 2025 10:46:19 GMT

Also, I have a question regarding the point where mentioned in document for midtier configuration about SPNEGO option and as the auth-method in the web.xml file for SAS Logon Manager.

SAS Help Center: Support for Integrated Windows Authentication

do we need to configure browser settings when we go with SPNEGO option? as per below suggestions. For example, we have MS Edge.
Configure Google Chrome and Microsoft Edge to Use SPNEGO

Re: Integrated Windows Authentication in the Middle Tier

LinusH — Wed, 19 Nov 2025 11:40:52 GMT

I don't think I have access to that UI, we have ordered it to central AD admins. But my guess is, yes.

Re: Integrated Windows Authentication in the Middle Tier

LinusH — Wed, 19 Nov 2025 11:41:42 GMT

But in your picture, both are HTTP, one should med "host".

Re: Integrated Windows Authentication in the Middle Tier

kumarsandip975 — Wed, 19 Nov 2025 13:18:41 GMT

yes, those are both mid , one with just hostname and fqn combination. We have asked this picture from AD admin, we will add additionally metadata , even compute host as SAS/*

Re: Integrated Windows Authentication in the Middle Tier

kumarsandip975 — Wed, 19 Nov 2025 13:19:43 GMT

@LinusH have you done this configuration Configure Google Chrome and Microsoft Edge to Use SPNEGO additionally to allow SPNEGO option.