02-18-2016 11:39 AM
Has anyone gone through the configuration of IWA for windows using Kerberos? I went through the steps but when I tested in SAS Management Console switching to use IWA I got the error below. Anyone encounted this error?
Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
The application could not log on to the server "vbavd2appdev1.vba.va.gov:8564". Integrated Windows authentication failed.
02-18-2016 01:32 PM
As a Windows domain administrator, under Start Control Panel Administrative Tools Active Directory Users and Computers, access the properties dialog box for the relevant account and grant the privilege.
For example, if the spawner runs under the local system account, select the spawner host machine under Computers. On the Delegation tab (or the General tab), select the Trust this computer for delegation check box.
Or, if the spawner runs under a service account, select that account under Users. On the Delegation tab (or the Accounts tab), select the Account is trusted for delegation check box. This setting is available only for service accounts that have registered service principal names.
Chapître 2 page 18 : Trusted for Delegation
02-18-2016 02:00 PM
The Spawner and the Web App Server run under service accounts. Under the Delegation tab in the domain controller the radio button "Trust this user for delegation to any service (Kerberos only) is checked for both service accounts but I am still getting the error in SMC when I check IWA.
02-18-2016 04:18 PM
SMC connect to the metadata server, is this server trusted for delegation ?
If so then I guess this is one for Tech support
02-18-2016 04:28 PM
Below is the update I did in the SAS\Config\Lev1\SASMeta\MetadataServer\sasv9_usermods.cfg file. Is this all that is required to trust the server for delegation?
02-18-2016 04:38 PM
If your SAS Metadata server is on a separate machine, I guess you have to go through the process I posted first. All the pointer I gave you came from the SAS professional($) who help with our installation. Our problem were the "Trusted for delegation" thing.
I'm sorry I'm out of idea on how to help you with this, but then techsupport at SAS is usually quick and easy.
02-19-2016 04:02 AM
I understand that you are working with windows SAS servers. Please correct me if I am wrong here.
I would start from the basics, checking if IWA is set up ok on the servers (I guess they are, but if you have windows 2012, something could be missing): https://docs.secureauth.com/display/KBA/Integrated+Windows+Authentication+(IWA)+Troubleshooting
Then, if we could have some more details about your deployment, that would help. Information as: number of servers, which SAS tier on which server, etc.
In other hand, for the SAS Metadata server, Negotiate (NTLM, Kerberos) is not an option? I guess not, but I still ask, because it is simplier.
Focusing on Kerberos:
My initial bet would go to missing SPNs (https://platformadmin.com/blogs/paul/2012/04/sas-and-iwa-host-name-aliases-spns), but I the same that I recommended to check the configuration of the Windows OS from the ground, regarding IWA, I would also recommend to theck the other configurations from SAS, from the ground: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#n1d1zo1jsf2o0en1eh...
Just as recommended reading, I always suggest a great SAS Paper created by Stuart Rogers ( http://support.sas.com/resources/papers/proceedings13/476-2013.pdf) which also contains a lof of recommended documents to read.
02-19-2016 09:37 AM
Thanks you for your help. We are running SAS 9.4 M1 on windows 2000 R2 server. Both mid-tier, metadata server and compute tier are all on the same machine. I will check out the links you included. Thank you very much.
02-19-2016 09:42 AM
And, in SAS Management Console, whow are set up the Authentication of your SAS metadata Server and your SAS workspace Server? Both Forced to Kerberos?
02-19-2016 10:43 AM
"And, in SAS Management Console, whow are set up the Authentication of your SAS metadata Server and your SAS workspace Server? Both Forced to Kerberos?"
I don't quite get the question. You mean where in SMC did I set up authentication for my SAS metadata server? In the Connection Profile I checked the IWA box, clicked on Advanced:
Security Package is Negotiate
SPN is Blank
Security package list is Kerberos,NTLM
02-19-2016 11:29 AM
Thanks! That is what I needed.is good.
You can get a list of your registered spn with the command setspn -L your host
I think you miss some spn.
You could try to fill the spn field that is now blank with your full qualified hostname, then restart the metadata server.