Hello,

As a Windows domain administrator, under Start  Control Panel  Administrative Tools  Active Directory Users and Computers, access the properties dialog box for the relevant account and grant the privilege.

For example, if the spawner runs under the local system account, select the spawner host machine under Computers. On the Delegation tab (or the General tab), select the Trust this computer for delegation check box.

Or, if the spawner runs under a service account, select that account under Users. On the Delegation tab (or the Accounts tab), select the Account is trusted for delegation check box. This setting is available only for service accounts that have registered service principal names.

Information source:

http://support.sas.com/documentation/cdl/en/bisecag/65011/PDF/default/bisecag.pdf

Chapître 2 page 18 : Trusted for Delegation

The Spawner and the Web App Server run under service accounts.  Under the Delegation tab in the domain controller the radio button  "Trust this user for delegation to any service (Kerberos only) is checked for both service accounts but I am still getting the error in SMC when I check IWA.

John

Hello,

SMC connect to the metadata server, is this server trusted for delegation ?

If so then I guess this is one for Tech support

Laurent

Below is the update I did in the SAS\Config\Lev1\SASMeta\MetadataServer\sasv9_usermods.cfg file.  Is this all that is required to trust the server for delegation?

1. Specify -secpackagelist "Kerberos" in your equivalent of the following locations:

• SAS\Config\Lev1\SASMeta\MetadataServer\sasv9_usermods.cfg (for the metadata server) Also, make sure that the –sspi setting is present.

1. Restart the metadata server.

If your SAS Metadata server is on a separate machine, I guess you have to go through the process I posted first.   All the pointer I gave you came from the SAS professional($) who help with our installation.  Our problem were the "Trusted for delegation" thing. 

I'm sorry I'm out of idea on how to help you with this, but then techsupport at SAS is usually quick and easy.

Laurent

Hi,

I understand that you are working with windows SAS servers. Please correct me if I am wrong here.

I would start from the basics, checking if IWA is set up ok on the servers (I guess they are, but if you have windows 2012, something could be missing): https://docs.secureauth.com/display/KBA/Integrated+Windows+Authentication+(IWA)+Troubleshooting 

Then, if we could have some more details about your deployment, that would help. Information as: number of servers, which SAS tier on which server, etc.

In other hand, for the SAS Metadata server, Negotiate (NTLM, Kerberos) is not an option? I guess not, but I still ask, because it is simplier.

Focusing on Kerberos:

My initial bet would go to missing SPNs (https://platformadmin.com/blogs/paul/2012/04/sas-and-iwa-host-name-aliases-spns), but I the same that I recommended to check the configuration of the Windows OS from the ground, regarding IWA, I would also recommend to theck the other configurations from SAS, from the ground: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#n1d1zo1jsf2o0en1eh...

Just as recommended reading, I always suggest a great SAS Paper created by Stuart Rogers ( http://support.sas.com/resources/papers/proceedings13/476-2013.pdf) which also contains a lof of recommended documents to read.

Thanks you for your help.  We are running SAS 9.4 M1 on windows 2000 R2 server.  Both mid-tier, metadata server and compute tier are all on the same machine.   I will check out the links you included.  Thank you very much.

Sorry we are running SAS 9.4 M1 on windows 2008 R2 server

Thank you!

And, in SAS Management Console, whow are set up the Authentication of your SAS metadata Server and your SAS workspace Server? Both Forced to Kerberos?

Hello,

You asked

"And, in SAS Management Console, whow are set up the Authentication of your SAS metadata Server and your SAS workspace Server? Both Forced to Kerberos?"

I don't quite get the question.  You mean where in SMC did I set up authentication for my SAS metadata server?  In the Connection Profile I checked the IWA box, clicked on Advanced: 

Security Package  is Negotiate

SPN is Blank

Security package list is Kerberos,NTLM

Thanks! That is what I needed.is good.

You can get a list of your registered spn with the command setspn -L your host 

I think you miss some spn.

You could try to fill the spn field that is now blank with your full qualified hostname, then restart the metadata server.