Architecting, installing and maintaining your SAS environment

AD Account is locked at SAS Server

Reply
Occasional Contributor
Posts: 6

AD Account is locked at SAS Server

I have a user who has been having his account locked out at the domain level and has happened numerous times since Friday. This user is high profile. This started on Friday and has been continuing for the last few days. I have my server and security teams working the issue with no results. The user gets his account unlocked and within the hour it is getting locked. The security monitor SPLUNK reports that my SAS server is the one locking him out. Over the last three days we have rebooted the server, deleted and re-added the account, and had him try to access production, backup and devel servers. Today we opened a SAS Track and are waiting for a response. Since this user supports higher management here, I used a "SERVICE" account that I had in reserve and logged him in as that from his PC through to the server. He has been stable all afternoon via that method. I, in turn is masquerading as the user to see if I while impersonating him get locked out.

 

I'm runnning Office Analytics single machine 9.4 M2. The user is running EG 6.1 and I am running EG 7.1.

 

I'm open to any and all suggestions.

 

Thanks,

Jerry Coppa SAS Admin at PA DHS

Super User
Posts: 3,111

Re: AD Account is locked at SAS Server

I had a problem very similar to this and it was caused by old remote login sessions to our SAS server that were just disconnected but not signed out. In the meantime I had changed my password but the old sessions kept trying to authenticate and kept locking me out.

 

Does your user have remote login access? If not another possibility is having his old password stored in SAS metadata or in scheduled jobs. Use SAS Management Console to update the metadata-stored password or to re-schedule the jobs.

Super Contributor
Posts: 356

Re: AD Account is locked at SAS Server

Have seen this before also but can't recall the exact problem...  

 

I gather the user can't log onto the server directly

 

Given you have rebooted the server etc, a rouge session doesn't seem to be the issue...

 

do you have credentials stored in the metadata? or hardcoded in SAS code?  are there any SAS jobs running on the server when the account is locked?  Is it after they do something in SAS or is it even when they don't do anything?

 

Although it is the SAS server that is seen to be be doing this it may not be SAS that is the issue....

 

Barry

Valued Guide
Posts: 3,208

Re: AD Account is locked at SAS Server

There are a lot of possible causes.

- The existance of some user ghostprocesses still running and connecting at intervals

- The coding of the old/wrong password in a connection profile. (eguide amo/ .net    DI SMC /java)

- the caching (eg conncet) in a SAS metadatadata autentication location

- the usage hard coded of user/password combination.
Finding and seeing these user errors can be hard.

Than you can ahve problems in the SAS system itself.

- The login can be delayed by failed logins. In those cases the metadata login can get delayed in a unusable way.

When the user does a login and wille retry with different password thinking it are typos it can cause a lock.
- After changing the password the sasauthentication can be delayed separtely  of your OS setttings.

Getting a new password after an unlock can cause the marvelous sitaution you can loging at the OS level but using SAS for that will fail. After several retries it can get locked. 

   

---->-- ja karman --<-----
Ask a Question
Discussion stats
  • 3 replies
  • 553 views
  • 0 likes
  • 4 in conversation