cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
Fiachra
Fluorite | Level 6 Fiachra
Fluorite | Level 6

Authentication Issues

Posted 10-05-2018 06:53 AM (866 views)

Hi guys,

 

Been struggling with configuring our SAS Office Analytics server deployment.

 

The set-up is

 

Our compute and metadata servers on on the same domain (DOMAIN1) and our permanent SAS libraries are located on the compute server in this domain. Our general network area is on a different domain (DOMAIN2). We have SAS ibraries set up in metadata to access the permanent data on DOMAIN1 but we would also like to be able to assign libraries and direct output to the network areas on DOMAIN2. There is a trust relationship between the two domains.

 

The issue

 

  • With IWA in SAS EG and security package set to negotiate on metadata and workspace server all users can access the permanent SAS libraries but none can assign an ad hoc library back to a network drive. I have followed the documentation on configuring IWA (http://support.sas.com/documentation/cdl/en/bisecag/63082/HTML/default/viewer.htm#n1d1zo1jsf2o0en1eh... )and we have ensured that delegation is enabled but still not able to reference back via a UNC path. The error message on trying to assing the library via UNC path is ERROR: User does not have appropriate authorization level for library TEST.
    ERROR: Error in the LIBNAME statement.
  • With username/password in SAS EG and security package set to username/password  on the metadata and workspace sever users with admin privileges on the compute server can access the permanent libraries and assign a library to the network drive but non-admin other users can't access anything. No error message appears in EG under this scenario but the users just continue to be prompted for username and password.

 

 Ideally I would like to get the IWA solution working but could live with username/password. For the username/password option the issue seems to be related to OS privileges (probably the IWA one too) on the server but I need to find out exactly what privileges are required for normal users as giving everyone admin rights is not a viable option.

 

Thanks for any help.

 

Fiachra.

0 Likes
Reply
1 REPLY 1
PaulHomes
Rhodochrosite | Level 12 PaulHomes
Rhodochrosite | Level 12

Re: Authentication Issues

Posted 10-05-2018 09:40 PM (833 views)  |   In reply to Fiachra

Because it also fails for non-admin users when not using IWA, this sounds like an issue with permissions on the share and/or server file system. I would start tracing those. To assign a library (and not update any tables) they should only need basic read and list folder contents access.

 

Once you have the non-IWA access resolved, and start looking at IWA access, if you you are using Windows 10 watch out for potential issues with constrained vs unconstrained delegation - for more info look at the Windows Defender Credential Guard section of Stuart Rogers' SAS Global Forum Paper SAS1878-2018: SAS® 9.4 on Microsoft Windows: Unleashing Kerberos on Apache Hadoop

Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 1 reply
  • ‎10-05-2018 06:53 AM
  • 867 views
  • 1 like
  • 2 in conversation