+ if SAS is deployed on multi-machine for example meta, mid on one and compute on other, will these steps occur on both nodes (confirming)

That will depend on your IWA requirements and the architecture you have. Configuring IWA / Kerberos across the board will be neater and provide more seamless access for your users, but there are partial configuration options too (e.g. IWA to metadata, SAS Token Authentication to compute etc). Unless there are good reasons not to I would look at configuring IWA widely for metadata, compute tier, and mid-tier applications (and possibly data sources). When it comes to mid-tier applications you also have the option for fallback configuration so that if IWA is not available it can fallback to credential prompting.

It seems like steps 8-11 slipped through the cracks and I never got to posting those. It'll take me a while to write up my notes into a blog post and, given I have lots of customer work which naturally has a higher priority, I can't see me getting to it anytime soon. However, in the time since I wrote that post there's now lots of other resources which will help you. One of the ones that may help you the most is SAS Global Forum 2016 Paper SAS3443-2016 Kerberos Delegation with SAS® 9.4 by Stuart Rogers. Most of the keytab management commands and environment variable settings you'll need are in there along with lots of other very useful info.

If you haven't already seen it all of my other IWA blog posts are listed under the IWA tag: https://platformadmin.com/blogs/paul/tag/iwa/

Some specific ones I'll call out:

• SAS & IWA: Check the Logs: https://platformadmin.com/blogs/paul/2012/06/sas-and-iwa-check-the-logs/
  Always check the logs (metadata, object spawner) to make sure the connections you think are IWA are indeed IWA Kerberos and not using SAS token, cached credentials, NTLM etc.
• SAS & IWA: Host Name Aliases and SPNs: https://platformadmin.com/blogs/paul/2012/04/sas-and-iwa-host-name-aliases-spns/
  SAS & IWA: Reviewing SPNs: https://platformadmin.com/blogs/paul/2012/04/sas-and-iwa-reviewing-spns/
  If you are using host name DNS aliases and not the physical host name then you will need to ensure all required SPNs are registered in AD
• SAS and IWA: Two Hops: https://platformadmin.com/blogs/paul/2012/01/sas-and-iwa-two-hops/
  SAS & IWA: Verifying Trusted for Delegation Status: https://platformadmin.com/blogs/paul/2012/03/sas-and-iwa-verify-trusted-for-delegation/
  If you want to use IWA to a workspace server, and are not using SAS Token Authentication, then you'll need to get your domain admins to mark the servers as Trusted for Delegation.

Another document to read is, of course, the How to Configure Integrated Windows Authentication section of SAS® 9.4 Intelligence Platform: Security Administration Guide.

I wholeheartedly recommend building up the config methodically from the metadata server, to compute tier, to mid-tier, carefully verifying each step along the way (e.g. checking the logs) before moving on to the next steps. Trying to do everything in one go will be harder to troubleshoot.

See how you go with those resources. If you have any specific questions post them and I'll try to answer them if they can be done in a few minutes (and others here may be able to help too). If you need anything more in-depth, then it's probably best to get help from SAS Professional Services or a local SAS Partner. Setting this up across the board can be quite challenging and time-consuming (albeit very rewarding) - getting professional help from people that have done it before will be very cost effective.

Thank you for your time and details.  I appreciate it!

One question, so far.  The service class by default (for the IOM servers) is SAS.  Is it related with the actual ID?  For example, if the installing ID is sasinst for example, will the service class default name still be SAS or it ought to match the ID?

Thank you in advance,

Shoin

If I understand your question correctly and you are asking about the prefix on the Service Principal Name (SPN) then it is just static text "SAS/" and the name is not based on the service account name (all though it is associated with the service account). I've never tried to use anything other than SAS/ so not sure if there is any SAS option to change it. When I create my service account for SAS in AD I use the following details:

In the AD Computers container create a new user:

• General tab:
  • First name: hostname-SAS
  • Display name: hostname-SAS
• Account tab:
  • User login name: hostname-SAS
  • Use a long random password
  • Password never expires
  • User cannot change password
  • Do not require Kerberos preauthentication

Replacing hostname above and below with the host name of the machine.

Then use the following command to register SAS SPNs with that service account:

setspn -u -s SAS/hostname hostname-SAS
setspn -u -s SAS/hostname.example.com hostname-SAS

Replacing example.com with the appropriate domain name. If you use DNS aliases for the host then you will need to add those short and fully-qualified ones too.

The following command can be used to review SPNs with that service account:

setspn -l hostname-SAS

If necessary setspn -u -d spn user can be used to remove any added in error.

With SAS 9.4 you no longer need to add port numbers to the SPN which was only required for SAS 9.3 and earlier.

With the service account set up you can then extract a keytab for SAS to use.

I forgot to add that I also mark the hostname computer and hostname-SAS service accounts in AD as Trusted for Delegation so you can use IWA for multiple hops for things like UNC file access, SQL Server database access etc. 

Dear Paul, much thanks.  Lots of information and I read through all the links you provided.  Again thank you very much.

I am configuring the environment w IWA on a Linux x64.  Currently only want desktop SAS clients SSO.

I have two questions that I could not find answers to:

1. Registering SPN, is it mandatory to do FQDN hostname + short-name?

2. Keytab file.  In my topology, 2 machines plus clients, do I need to have the generated keytab file one each per node?  Or just on metadata node? If one, should I combine all entries?  From my understanding, the keytab file ought to list all UPNs and SPNs, should be accessible only to the installer ID.  

These are the two last lingering item if you could shed some light on.

Thank you again for wonderful information and the help!

S