Re: Integrated Windows Authentication in the Middle Tier

kumarsandip975 · Posted 11-18-2025 04:24 PM

I am working on setting up Integrated Windows Authentication (IWA) for SAS Studio and related web applications. Before proceeding further, I would like to confirm some prerequisites regarding SPNs and delegation configuration in Active Directory.

Current Architecture

SAS 9.4 M8 hosted on Windows
Metadata Server – Machine1
Mid-tier – Machine2
Compute Server 1 – Machine3
Compute Server 2 – Machine4

Service Accounts

We plan to use three separate domain service accounts for SAS services:

ACCOUNT1_META – Runs SAS Metadata Server service
ACCOUNT2_MID – Runs SASServer1_1 (WebAppServer) service
ACCOUNT3_COMP – Runs Object Spawner (SASApp) service on both compute machines

SPNs Registered

Below are the SPNs currently registered:

ACCOUNT1_META

SAS/aSASSTU-met.XXX.xx
SAS/aSASSTU-met

ACCOUNT2_MID

HTTP/aSASSTU-mid.XXX.xx
HTTP/aSASSTU-mid

ACCOUNT3_COMP

SAS/aSASSTU-comp.XXX.xx
SAS/aSASSTU-comp

Clarification Needed

Since our deployment spans multiple machines, is it acceptable to use different service accounts and register SPNs only for their respective hosts? Specifically:

Will the mid-tier be able to interact with the metadata and compute tiers without SPNs registered for those hosts under the mid-tier account?
Or do we need additional SPNs or delegation settings to ensure proper Kerberos authentication and identity propagation?

Your guidance on best practices for SPN registration and delegation in this multi-tier SAS environment would be greatly appreciated.

LinusH · Posted 11-19-2025 04:39 AM

We have also three separate accounts.

And we have implemented AllowToDelegateTo:

mid tier SPN:
- it's own host
- compute host
compute SPN:
- it's own host
- http to mid-tier
- Any external databases you wish to sso to

Data never sleeps

kumarsandip975 · Posted 11-19-2025 05:38 AM

@LinusH do you mean this delegation
Midtier account should delegate to midtier host as well compute host? and compute account to own and http as well?

kumarsandip975 · Posted 11-19-2025 05:46 AM

Also, I have a question regarding the point where mentioned in document for midtier configuration about SPNEGO option and as the auth-method in the web.xml file for SAS Logon Manager.

SAS Help Center: Support for Integrated Windows Authentication

do we need to configure browser settings when we go with SPNEGO option? as per below suggestions. For example, we have MS Edge.
Configure Google Chrome and Microsoft Edge to Use SPNEGO

kumarsandip975 · Posted 11-19-2025 08:19 AM

@LinusH have you done this configuration Configure Google Chrome and Microsoft Edge to Use SPNEGO additionally to allow SPNEGO option.

LinusH · Posted 11-19-2025 06:40 AM

I don't think I have access to that UI, we have ordered it to central AD admins. But my guess is, yes.

Data never sleeps

LinusH · Posted 11-19-2025 06:41 AM

But in your picture, both are HTTP, one should med "host".

Data never sleeps

kumarsandip975 · Posted 11-19-2025 08:18 AM

yes, those are both mid , one with just hostname and fqn combination. We have asked this picture from AD admin, we will add additionally metadata , even compute host as SAS/*