cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
kumarsandip975
Pyrite | Level 9 kumarsandip975
Pyrite | Level 9

Authorization errors post Integrated Windows Authentication

Posted 03-20-2026 06:49 PM (723 views)

Dear All,
Recently, we implemented IWA authentication on our SAS 9.4 running on windows server. 

We do use NTFS , and when user is trying to access shared file from libname, getting error. 

 
 
 
 
73 libname lib1 "\\aSASXXX-xxx1.xxx.xx\SASSTU_xxx_xxx";
ERROR: User does not have appropriate authorization level for library LIB1.
ERROR: Error in the LIBNAME statement.

I was going through this post : 41477 - Authorization errors can occur when you use Integrated Windows Authentication
As suggested, I tried to add spn's cifs/myfileshare and delegate my service account on AD as object spawner is ruuning with service account, but still having same issues. 

Could you please suggest if I missing anything. 

Only difference is my SPN and delegation as CIFS/ , is it a case sensitive?
 

 


 

 
0 Likes
Reply
7 REPLIES 7
SASKiwi
PROC Star SASKiwi
PROC Star

Re: Authorization errors post Integrated Windows Authentication

Posted 03-21-2026 05:38 PM (661 views)  |   In reply to kumarsandip975

What SAS user interface is used here? If it is Enterprise Guide, then change your EG server connection to not use IWA (just Windows account and password) and test the same LIBNAME again. If this works then the problem is with IWA and SPNs for the storage being accessed. If it doesn't work then the problem is with the Windows account permissions on the folders in the LIBNAME and has nothing to do with IWA.

0 Likes
Reply
kumarsandip975
Pyrite | Level 9 kumarsandip975
Pyrite | Level 9

Re: Authorization errors post Integrated Windows Authentication

Posted 03-22-2026 06:14 AM (644 views)  |   In reply to SASKiwi

@SASKiwi We are using SAS Studio, before IWA implementation, it was working. We have no issue with access. 

libname lib1 "\\aSASxxxt-srv1.xxxt.xx\SASSTU_xxx_DATA"; 
libname lib1 "\\xxxxxxx.xxx001.xx.xxx.xxx\SASSTU_xxx_DATA";  
libname lib1 "\\10.xxx.00.xx\SASSTU_xxx_DATA";

 

When I tried with name and address , it worked , but not with alias. 

Note: Alias path we are able to access from local pc file explorer, as we have given share access to everyone, and it should work from SAS Studio. 

 

screen22march.png

 

 

Screenshot 2026-03-22 110807.png

 

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Authorization errors post Integrated Windows Authentication

Posted 03-30-2026 10:53 AM (557 views)  |   In reply to kumarsandip975
Is there an SPN defined for the alias (cifs/<alias>, assigned to the account for the host that is hosting the file share?
If so, is delegation allowed to that SPN?
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
kumarsandip975
Pyrite | Level 9 kumarsandip975
Pyrite | Level 9

Re: Authorization errors post Integrated Windows Authentication

Posted 04-03-2026 04:00 PM (508 views)  |   In reply to gwootton

@gwootton yes, spn(cifs/aliases) are defined on CN=Host and we delegated the same to service account. 

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Authorization errors post Integrated Windows Authentication

Posted 04-10-2026 09:00 AM (440 views)  |   In reply to kumarsandip975
I ran into a similar issue recently and the issue ended up being that the computer account (not the service account) where the SAS job was running needed delegation permitted to the CIFS SPN.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
kumarsandip975
Pyrite | Level 9 kumarsandip975
Pyrite | Level 9

Re: Authorization errors post Integrated Windows Authentication

Posted 04-13-2026 05:52 PM (398 views)  |   In reply to gwootton

@gwootton Should I consider below setting registering SPN's and delegation? 

1. Registering SPN's -
1.1. Where to register SPN's - user object or computer object? - computer object.
1.2. Why ? These are file servers,  SMB/CIFS services run under LocalSystem.
2. Delegation SPN's -
2.1. As SAS Object Spawner service is running with service account. Delegation always should on the ACCOUNT THAT STARTS THE CONNECTION, and If delegation is needed, configure constrained delegation.
0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Authorization errors post Integrated Windows Authentication

Posted 04-14-2026 12:10 PM (377 views)  |   In reply to kumarsandip975
In my case, the "account that starts the connection" was the computer account where SAS was running despite the launcher of sas, the object spawner, running as a service account. So, it was necessary to trust for delegation from the computer account to the cifs/file-server SPN.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

Learn how to explore data assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • ‎03-20-2026 06:49 PM
  • 724 views
  • 0 likes
  • 3 in conversation