Architecting, installing and maintaining your SAS environment

Integrated Windows Authentication (IWA) - single sign-on failed

Reply
Occasional Contributor
Posts: 9

Integrated Windows Authentication (IWA) - single sign-on failed

Has anyone gone through the configuration of IWA for windows using Kerberos?  I went through the steps but when I tested in SAS Management Console switching to use IWA I got the error below.  Anyone encounted this error?

 

Unexpected error in function AcceptSecurityContext.  Error -2146893048 (The token supplied to the function is invalid ).
Access denied.
The application could not log on to the server "vbavd2appdev1.vba.va.gov:8564". Integrated Windows authentication failed.     

 

John                                            

Contributor tlk
Contributor
Posts: 54

Re: Integrated Windows Authentication (IWA) - single sign-on failed

Hello,

 

 

As a Windows domain administrator, under Start  Control Panel  Administrative Tools  Active Directory Users and Computers, access the properties dialog box for the relevant account and grant the privilege.

For example, if the spawner runs under the local system account, select the spawner host machine under Computers. On the Delegation tab (or the General tab), select the Trust this computer for delegation check box.

Or, if the spawner runs under a service account, select that account under Users. On the Delegation tab (or the Accounts tab), select the Account is trusted for delegation check box. This setting is available only for service accounts that have registered service principal names.

 

 

Information source:

 

http://support.sas.com/documentation/cdl/en/bisecag/65011/PDF/default/bisecag.pdf

 

Chapître 2 page 18 : Trusted for Delegation

 

Occasional Contributor
Posts: 9

Re: Integrated Windows Authentication (IWA) - single sign-on failed

The Spawner and the Web App Server run under service accounts.  Under the Delegation tab in the domain controller the radio button  "Trust this user for delegation to any service (Kerberos only) is checked for both service accounts but I am still getting the error in SMC when I check IWA.

 

John

Contributor tlk
Contributor
Posts: 54

Re: Integrated Windows Authentication (IWA) - single sign-on failed

Hello,

 

SMC connect to the metadata server, is this server trusted for delegation ?

 

If so then I guess this is one for Tech support

 

 

Laurent

Occasional Contributor
Posts: 9

Re: Integrated Windows Authentication (IWA) - single sign-on failed

Below is the update I did in the SAS\Config\Lev1\SASMeta\MetadataServer\sasv9_usermods.cfg file.  Is this all that is required to trust the server for delegation?

 

 

  1. Specify -secpackagelist "Kerberos" in your equivalent of the following locations:
  • SAS\Config\Lev1\SASMeta\MetadataServer\sasv9_usermods.cfg (for the metadata server) Also, make sure that the –sspi setting is present.

 

  1. Restart the metadata server.
Contributor tlk
Contributor
Posts: 54

Re: Integrated Windows Authentication (IWA) - single sign-on failed

If your SAS Metadata server is on a separate machine, I guess you have to go through the process I posted first.   All the pointer I gave you came from the SAS professional($) who help with our installation.  Our problem were the "Trusted for delegation" thing. 

 

I'm sorry I'm out of idea on how to help you with this, but then techsupport at SAS is usually quick and easy.

 

 

Laurent

Trusted Advisor
Posts: 1,326

Re: Integrated Windows Authentication (IWA) - single sign-on failed

Hi,

 

I understand that you are working with windows SAS servers. Please correct me if I am wrong here.

 

I would start from the basics, checking if IWA is set up ok on the servers (I guess they are, but if you have windows 2012, something could be missing): https://docs.secureauth.com/display/KBA/Integrated+Windows+Authentication+(IWA)+Troubleshooting 

 

Then, if we could have some more details about your deployment, that would help. Information as: number of servers, which SAS tier on which server, etc.

 

In other hand, for the SAS Metadata server, Negotiate (NTLM, Kerberos) is not an option? I guess not, but I still ask, because it is simplier.

 

Focusing on Kerberos:

My initial bet would go to missing SPNs (https://platformadmin.com/blogs/paul/2012/04/sas-and-iwa-host-name-aliases-spns), but I the same that I recommended to check the configuration of the Windows OS from the ground, regarding IWA, I would also recommend to theck the other configurations from SAS, from the ground: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#n1d1zo1jsf2o0en1eh...

 

Just as recommended reading, I always suggest a great SAS Paper created by Stuart Rogers ( http://support.sas.com/resources/papers/proceedings13/476-2013.pdf) which also contains a lof of recommended documents to read.

 

 

 

Occasional Contributor
Posts: 9

Re: Integrated Windows Authentication (IWA) - single sign-on failed

Posted in reply to JuanS_OCS

Thanks you for your help.  We are running SAS 9.4 M1 on windows 2000 R2 server.  Both mid-tier, metadata server and compute tier are all on the same machine.   I will check out the links you included.  Thank you very much.

Occasional Contributor
Posts: 9

Re: Integrated Windows Authentication (IWA) - single sign-on failed

Sorry we are running SAS 9.4 M1 on windows 2008 R2 server

Trusted Advisor
Posts: 1,326

Re: Integrated Windows Authentication (IWA) - single sign-on failed

Thank you!

 

And, in SAS Management Console, whow are set up the Authentication of your SAS metadata Server and your SAS workspace Server? Both Forced to Kerberos?

 

Occasional Contributor
Posts: 9

Re: Integrated Windows Authentication (IWA) - single sign-on failed

Posted in reply to JuanS_OCS

Hello,

 

You asked

"And, in SAS Management Console, whow are set up the Authentication of your SAS metadata Server and your SAS workspace Server? Both Forced to Kerberos?"

 

I don't quite get the question.  You mean where in SMC did I set up authentication for my SAS metadata server?  In the Connection Profile I checked the IWA box, clicked on Advanced: 

Security Package  is Negotiate

SPN is Blank

Security package list is Kerberos,NTLM

Trusted Advisor
Posts: 1,326

Re: Integrated Windows Authentication (IWA) - single sign-on failed

Thanks! That is what I needed.is good.

 

You can get a list of your registered spn with the command setspn -L your host 

I think you miss some spn.

 

You could try to fill the spn field that is now blank with your full qualified hostname, then restart the metadata server.

Ask a Question
Discussion stats
  • 11 replies
  • 1789 views
  • 1 like
  • 3 in conversation