topic Re: Integrated Windows Authentication (IWA) - single sign-on failed in Administration and Deployment

Integrated Windows Authentication (IWA) - single sign-on failed

kdjamboe — Thu, 18 Feb 2016 16:39:05 GMT

Has anyone gone through the configuration of IWA for windows using Kerberos? I went through the steps but when I tested in SAS Management Console switching to use IWA I got the error below. Anyone encounted this error?

Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
Access denied.
The application could not log on to the server "vbavd2appdev1.vba.va.gov:8564". Integrated Windows authentication failed.

John

Re: Integrated Windows Authentication (IWA) - single sign-on failed

tlk — Thu, 18 Feb 2016 18:32:09 GMT

Hello,

As a Windows domain administrator, under Start Control Panel Administrative Tools Active Directory Users and Computers, access the properties dialog box for the relevant account and grant the privilege.

For example, if the spawner runs under the local system account, select the spawner host machine under Computers. On the Delegation tab (or the General tab), select the Trust this computer for delegation check box.

Or, if the spawner runs under a service account, select that account under Users. On the Delegation tab (or the Accounts tab), select the Account is trusted for delegation check box. This setting is available only for service accounts that have registered service principal names.

Information source:

http://support.sas.com/documentation/cdl/en/bisecag/65011/PDF/default/bisecag.pdf

Chapître 2 page 18 : Trusted for Delegation

Re: Integrated Windows Authentication (IWA) - single sign-on failed

kdjamboe — Thu, 18 Feb 2016 19:00:23 GMT

The Spawner and the Web App Server run under service accounts. Under the Delegation tab in the domain controller the radio button "Trust this user for delegation to any service (Kerberos only) is checked for both service accounts but I am still getting the error in SMC when I check IWA.

John

Re: Integrated Windows Authentication (IWA) - single sign-on failed

tlk — Thu, 18 Feb 2016 21:18:25 GMT

Hello,

SMC connect to the metadata server, is this server trusted for delegation ?

If so then I guess this is one for Tech support

Laurent

Re: Integrated Windows Authentication (IWA) - single sign-on failed

kdjamboe — Thu, 18 Feb 2016 21:28:00 GMT

Below is the update I did in the SAS\Config\Lev1\SASMeta\MetadataServer\sasv9_usermods.cfg file. Is this all that is required to trust the server for delegation?

Specify -secpackagelist "Kerberos" in your equivalent of the following locations:

SAS\Config\Lev1\SASMeta\MetadataServer\sasv9_usermods.cfg (for the metadata server) Also, make sure that the –sspi setting is present.

Restart the metadata server.

Re: Integrated Windows Authentication (IWA) - single sign-on failed

tlk — Thu, 18 Feb 2016 21:38:43 GMT

If your SAS Metadata server is on a separate machine, I guess you have to go through the process I posted first. All the pointer I gave you came from the SAS professional($) who help with our installation. Our problem were the "Trusted for delegation" thing.

I'm sorry I'm out of idea on how to help you with this, but then techsupport at SAS is usually quick and easy.

Laurent

Re: Integrated Windows Authentication (IWA) - single sign-on failed

JuanS_OCS — Fri, 19 Feb 2016 09:02:27 GMT

Hi,

I understand that you are working with windows SAS servers. Please correct me if I am wrong here.

I would start from the basics, checking if IWA is set up ok on the servers (I guess they are, but if you have windows 2012, something could be missing): https://docs.secureauth.com/display/KBA/Integrated+Windows+Authentication+(IWA)+Troubleshooting

Then, if we could have some more details about your deployment, that would help. Information as: number of servers, which SAS tier on which server, etc.

In other hand, for the SAS Metadata server, Negotiate (NTLM, Kerberos) is not an option? I guess not, but I still ask, because it is simplier.

Focusing on Kerberos:

My initial bet would go to missing SPNs (https://platformadmin.com/blogs/paul/2012/04/sas-and-iwa-host-name-aliases-spns), but I the same that I recommended to check the configuration of the Windows OS from the ground, regarding IWA, I would also recommend to theck the other configurations from SAS, from the ground: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#n1d1zo1jsf2o0en1ehu4c4simfky.htm

Just as recommended reading, I always suggest a great SAS Paper created by Stuart Rogers ( http://support.sas.com/resources/papers/proceedings13/476-2013.pdf) which also contains a lof of recommended documents to read.

Re: Integrated Windows Authentication (IWA) - single sign-on failed

kdjamboe — Fri, 19 Feb 2016 14:37:36 GMT

Thanks you for your help. We are running SAS 9.4 M1 on windows 2000 R2 server. Both mid-tier, metadata server and compute tier are all on the same machine. I will check out the links you included. Thank you very much.

Re: Integrated Windows Authentication (IWA) - single sign-on failed

kdjamboe — Fri, 19 Feb 2016 14:38:42 GMT

Sorry we are running SAS 9.4 M1 on windows 2008 R2 server

Re: Integrated Windows Authentication (IWA) - single sign-on failed

JuanS_OCS — Fri, 19 Feb 2016 14:42:19 GMT

Thank you!

And, in SAS Management Console, whow are set up the Authentication of your SAS metadata Server and your SAS workspace Server? Both Forced to Kerberos?

Re: Integrated Windows Authentication (IWA) - single sign-on failed

kdjamboe — Fri, 19 Feb 2016 15:43:23 GMT

Hello,

You asked

"And, in SAS Management Console, whow are set up the Authentication of your SAS metadata Server and your SAS workspace Server? Both Forced to Kerberos?"

I don't quite get the question. You mean where in SMC did I set up authentication for my SAS metadata server? In the Connection Profile I checked the IWA box, clicked on Advanced:

Security Package is Negotiate

SPN is Blank

Security package list is Kerberos,NTLM

Re: Integrated Windows Authentication (IWA) - single sign-on failed

JuanS_OCS — Fri, 19 Feb 2016 16:29:56 GMT

Thanks! That is what I needed.is good.

You can get a list of your registered spn with the command setspn -L your host

I think you miss some spn.

You could try to fill the spn field that is now blank with your full qualified hostname, then restart the metadata server.