topic Re: SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification in Administration and Deployment

SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

freshstarter — Fri, 01 May 2026 09:25:55 GMT

Hello All,

This is regarding our implementation of a Group Managed Service Account (gMSA) in our latest SAS Viya environment.

We have created a service account in Entra and provisioned it to SAS via SCIM for scheduling purposes. Based on this, we are planning to use a gMSA-style approach where a group of users from our OPS team can schedule jobs using this service account.

Current setup:

Created a service account and added it to a custom group: “Service Account User for Schedule”
Created an Entra ID group: OPS_Schedule_Team and added relevant members and then provisioned to SAS
Logged in via CLI using the service account and executed the following commands to create the authentication domain and store credentials:

sas-viya credentials domains create --domain-id Scheduling_OPS_TokenAuth --type oauth2.0

sas-viya credentials groups create --domain-id Scheduling_OPS_TokenAuth --identity-id OPS_Schedule_Team --allowed-client sas.scheduler --allowed-client sas.jobExecution --allowed-client sas.jobFlowScheduling

The domain was created successfully, and I can see an entry in the credentials store for this authentication domain with identity as OPS_Schedule_Team
In SAS Environment Manager, users in the OPS team are able to select the service account under the “Run as” option when scheduling jobs. Everything is working as expected so far.

Going forward, we will not be logging in interactively using the service account. Instead, OPS team members will schedule jobs using it via the gMSA approach.

My question is regarding the refresh token lifecycle:

Since we are not logging in interactively with the service account, will scheduled jobs continue to run only until the refresh token remains valid? Is this understanding correct?
If the refresh token expires, what is the recommended way to automate token renewal for the service account without manual intervention?
I came across this document:https://communities.sas.com/t5/SAS-Communities-Library/SAS-Viya-2023-07-Run-As-Authentication-Update/ta-p/893085 It mentions a scheduled job for automatic token rotation, but it appears to apply only up to the 2023.11 release. We are currently on the 2026.03 release—has this approach changed in newer versions?

Additional clarification:

If we do not use the gMSA approach and instead log in interactively with the service account to schedule jobs, would we face the same issue? For example, if a job is scheduled daily and no one logs in again for an extended period, will the job continue to run only until the refresh token expires?

Any clarification or best practices around this setup would be greatly appreciated. Thanks in advance.

Re: SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

gwootton — Mon, 04 May 2026 18:45:34 GMT

Both the scheduler service and credentials service maintain the validity of their stored refresh tokens by acquiring new ones periodically, so in either case you should not need to take any action and the functionality to schedule new jobs using a group-managed service account and the running of existing jobs should continue indefinitely.

Re: SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

freshstarter — Mon, 04 May 2026 19:20:00 GMT

Thanks @gwootton for your response.

Is there any way to check whether new tokens are being acquired and refreshed internally?

Re: SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

gwootton — Mon, 04 May 2026 19:59:34 GMT

On the credentials service, you could set the logger com.sas.credentials.OAuthAccessTokenManager to debug to see messages related to this process.

On the scheduler service you'll see messages by default at the info level when it attempts to get a new refresh token. You could set com.sas.scheduling.persistence.RefreshTokenScheduler to debug to see messages related to it checking to see if it needs to refresh the tokens.

Re: SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

freshstarter — Tue, 05 May 2026 16:10:22 GMT

Thanks you.

But I don't think auto token refresh is happening and stored internally on credentials service.

I have created a domain last week for gMSA purpose but when I tried to execute the job today using Run as feature via gMSA, I'm getting this failure.

Failed to obtain a valid credential. Contact your system administrator to check the status of the credential in the domain Scheduling_OPS_TokenAuth.

path: /scheduler/jobs

Re: SAS Viya gMSA Scheduling and Refresh Token Behavior Clarification

gwootton — Tue, 05 May 2026 17:49:43 GMT

Refresh tokens by default are valid for 14 days (https://go.documentation.sas.com/doc/en/sasadmincdc/v_075/calconfigref/p1tat3guv9i2g5n1kktrzbprntog.htm), so even if the token wasn't refreshing it would still be valid. You may want to look in the logs for credentials and scheduler services for more details on the failure, or engage SAS Technical Support.