BookmarkSubscribeRSS Feed
kdjamboe
Calcite | Level 5

Has anyone gone through the configuration of IWA for windows using Kerberos?  I went through the steps but when I tested in SAS Management Console switching to use IWA I got the error below.  Anyone encounted this error?

 

Unexpected error in function AcceptSecurityContext.  Error -2146893048 (The token supplied to the function is invalid ).
Access denied.
The application could not log on to the server "vbavd2appdev1.vba.va.gov:8564". Integrated Windows authentication failed.     

 

John                                            

11 REPLIES 11
tlk
Quartz | Level 8 tlk
Quartz | Level 8

Hello,

 

 

As a Windows domain administrator, under Start  Control Panel  Administrative Tools  Active Directory Users and Computers, access the properties dialog box for the relevant account and grant the privilege.

For example, if the spawner runs under the local system account, select the spawner host machine under Computers. On the Delegation tab (or the General tab), select the Trust this computer for delegation check box.

Or, if the spawner runs under a service account, select that account under Users. On the Delegation tab (or the Accounts tab), select the Account is trusted for delegation check box. This setting is available only for service accounts that have registered service principal names.

 

 

Information source:

 

http://support.sas.com/documentation/cdl/en/bisecag/65011/PDF/default/bisecag.pdf

 

Chapître 2 page 18 : Trusted for Delegation

 

kdjamboe
Calcite | Level 5

The Spawner and the Web App Server run under service accounts.  Under the Delegation tab in the domain controller the radio button  "Trust this user for delegation to any service (Kerberos only) is checked for both service accounts but I am still getting the error in SMC when I check IWA.

 

John

tlk
Quartz | Level 8 tlk
Quartz | Level 8

Hello,

 

SMC connect to the metadata server, is this server trusted for delegation ?

 

If so then I guess this is one for Tech support

 

 

Laurent

kdjamboe
Calcite | Level 5

Below is the update I did in the SAS\Config\Lev1\SASMeta\MetadataServer\sasv9_usermods.cfg file.  Is this all that is required to trust the server for delegation?

 

 

  1. Specify -secpackagelist "Kerberos" in your equivalent of the following locations:
  • SAS\Config\Lev1\SASMeta\MetadataServer\sasv9_usermods.cfg (for the metadata server) Also, make sure that the –sspi setting is present.

 

  1. Restart the metadata server.
tlk
Quartz | Level 8 tlk
Quartz | Level 8

If your SAS Metadata server is on a separate machine, I guess you have to go through the process I posted first.   All the pointer I gave you came from the SAS professional($) who help with our installation.  Our problem were the "Trusted for delegation" thing. 

 

I'm sorry I'm out of idea on how to help you with this, but then techsupport at SAS is usually quick and easy.

 

 

Laurent

JuanS_OCS
Amethyst | Level 16

Hi,

 

I understand that you are working with windows SAS servers. Please correct me if I am wrong here.

 

I would start from the basics, checking if IWA is set up ok on the servers (I guess they are, but if you have windows 2012, something could be missing): https://docs.secureauth.com/display/KBA/Integrated+Windows+Authentication+(IWA)+Troubleshooting 

 

Then, if we could have some more details about your deployment, that would help. Information as: number of servers, which SAS tier on which server, etc.

 

In other hand, for the SAS Metadata server, Negotiate (NTLM, Kerberos) is not an option? I guess not, but I still ask, because it is simplier.

 

Focusing on Kerberos:

My initial bet would go to missing SPNs (https://platformadmin.com/blogs/paul/2012/04/sas-and-iwa-host-name-aliases-spns), but I the same that I recommended to check the configuration of the Windows OS from the ground, regarding IWA, I would also recommend to theck the other configurations from SAS, from the ground: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#n1d1zo1jsf2o0en1eh...

 

Just as recommended reading, I always suggest a great SAS Paper created by Stuart Rogers ( http://support.sas.com/resources/papers/proceedings13/476-2013.pdf) which also contains a lof of recommended documents to read.

 

 

 

kdjamboe
Calcite | Level 5

Thanks you for your help.  We are running SAS 9.4 M1 on windows 2000 R2 server.  Both mid-tier, metadata server and compute tier are all on the same machine.   I will check out the links you included.  Thank you very much.

kdjamboe
Calcite | Level 5

Sorry we are running SAS 9.4 M1 on windows 2008 R2 server

JuanS_OCS
Amethyst | Level 16

Thank you!

 

And, in SAS Management Console, whow are set up the Authentication of your SAS metadata Server and your SAS workspace Server? Both Forced to Kerberos?

 

kdjamboe
Calcite | Level 5

Hello,

 

You asked

"And, in SAS Management Console, whow are set up the Authentication of your SAS metadata Server and your SAS workspace Server? Both Forced to Kerberos?"

 

I don't quite get the question.  You mean where in SMC did I set up authentication for my SAS metadata server?  In the Connection Profile I checked the IWA box, clicked on Advanced: 

Security Package  is Negotiate

SPN is Blank

Security package list is Kerberos,NTLM

JuanS_OCS
Amethyst | Level 16

Thanks! That is what I needed.is good.

 

You can get a list of your registered spn with the command setspn -L your host 

I think you miss some spn.

 

You could try to fill the spn field that is now blank with your full qualified hostname, then restart the metadata server.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 11 replies
  • 4945 views
  • 1 like
  • 3 in conversation