Solved: Re: Integrated windows authentication failed

RupaJ · Posted 09-14-2018 12:58 PM

Hello Forum,

I am trying to set up IWA for the desktop clients(windows). Now my metadata /midtier and compute are on RHEL 7 servers. Meta and Midtier are on one machine, with compute on another server. SAS 9.4M5 is installed btw.

Now I have completed the prerequisites for setting up IWA which are

Unix host joining the AD

Creating the service account , UPN,SPN

Generating the keytab file.

Adding the KRB5_KTNAME env variable and restart the services.

After completing all the above, I tried testing if the IWA is working.

Checked the Integrated windows authentication checkbox. In the advanced setting security package is "Negiciate:, SPN is the custom SPN that we have and Security Package list is "Kerberos,NTLN".

I have the same thing mentinoed above for the workspace server properties too.

Now I am able to connect to the SAS Enterprise guide with the profile , however my workspace server validation is failing with below error.

[9/14/18 11:35 AM] INFO: Starting extended validation for Workspace server (level 1) - Making a connection
[9/14/18 11:35 AM] SEVERE: Access denied.
[9/14/18 11:35 AM] SEVERE: The launch of server SASApp - Workspace Server for user failed.
[9/14/18 11:35 AM] SEVERE: The application could not log on to the server "sastest.local:8591". Integrated Windows authentication failed.

This is what I see in the objectspawner logs.

2018-09-14T11:35:10,227 WARN [00024804] : user- The destination buffer size was not sufficient for the requested password.
2018-09-14T11:35:10,228 ERROR [00024804] :user - Access denied.
2018-09-14T11:35:10,228 ERROR [00024804] :user - The launch of server SASApp - Workspace Server for user failed.

Note - I have removed user and server names.

Now regarding the SPN, I have a question. How do I create a default SPN? My IT guy has created xyz as service account and created XYZ/sasmeta.local , XYZ/sastest.local , XYZ/sasmeta and XYZ/sastest as SPNs (both FQDN and shortnames). However I need to give SPN as "XYZ/sasmeta.local in order to connect to SASEG. It is not connecting if I leave the SPN blank when I connect to SASEG.

So 2 questions

Why I am getting that error when I am trying to validate the workspace server?

Default SPN -- How to create?

Thank you!!!

alexal · Posted 09-19-2018 02:56 PM

I just want to say that the problem has been resolved. We have linked SAS to specific GSSAPI modules, changed a few settings in sasauth.conf, and the workspace server.

View solution in original post

alexal · Posted 09-14-2018 01:08 PM

@RupaJ,

How do I create a default SPN?

Registering SPNs. The client must know the server's service principal name (SPN). In a standard configuration, this is transparent. Clients expect (and know how to construct) a default SPN in the format SAS/machine (for example, SAS/machineA.na.company.com), so you do not have to explicitly provide the SPN.

Audit.Authentication logger should help with debugging GSSAPI, please add this XML to metadata/object spawner logging configuration (do not forget to restart metadata/object spawner after that):

 <logger name="Audit.Authentication">
        <level value="Trace"/>
  </logger>

RupaJ · Posted 09-14-2018 02:38 PM

hello @alexal

Thanks for the response. What do you mean "standard configuration"? Could you clarify. How should the default SPN be created? Any commands will be helpful.

Thanks

RupaJ · Posted 09-15-2018 07:24 AM

Looks like I did not enable -SSPI option to launch object spawner. How do I do that? I was thinking the default is with -sspi. However after 9.4 releases, looks like default is -nosspi.

RupaJ · Posted 09-17-2018 07:35 AM

In response to the -SSPI option, I checked the object spawner startup script and it does have the -SSPI option. I guess only on windows the default is to start with -nosspi :-(. So that is ruled out too.

Any help on this would be great. Thanks!

PaulHomes · Posted 09-17-2018 09:21 PM

As @alexal mentioned you should be able to configure the server so you don't need to specify any extra details on the client other than the basic host name, port and to use IWA. SPNs should be added in AD so the client user doesn't have to worry about them.

Just so you know I get that warning message in my Linux + IWA lab environment when IWA connection is successful:

2018-09-18T10:48:43,814 INFO  [00689123] :paul - New client connection (57834) accepted from server port 8591 for IWA user paul. Encryption level is Credentials using encryption algorithm AES.  Peer IP address and port are [192.168.2.101]:52435 for APPNAME=SAS Enterprise Guide.
2018-09-18T10:48:43,859 WARN  [00689123] :paul - The destination buffer size was not sufficient for the requested password.
2018-09-18T10:48:43,884 INFO  [00689123] :paul - Created process 14210 using credentials paul (child id 94).
2018-09-18T10:48:44,490 INFO  [00689130] :sas - New out call client connection (57848) for launched server (child 94).  Peer IP address and port are [192.168.2.27]:54050.
2018-09-18T10:48:44,497 INFO  [00689130] :sas - Client connection 57834 for user paul closed.
2018-09-18T10:49:41,026 INFO  [00000009] :sas - Client connection 57848 for user paul closed.
2018-09-18T10:49:41,152 INFO  [00689122] :sas - Process 14210 owned by user paul (child id 94) has ended.

I don't know why I am getting that buffer size warning but it does not seem to have any obvious impact. If anyone else knows how to get rid of it I'd be keen to hear. 🙂

So I think you need to focus on that "Access denied" error. Have you added the Audit.Authentication trace level logging for the object spawner as @alexal suggested?

alexal · Posted 09-18-2018 07:25 AM

Also, enable sasauth-debug on compute tier.

RupaJ · Posted 09-18-2018 07:59 AM

Yes,I did enable the below in the object spawner and restarted services. However don't see any new log messages apart from what I saw before.

<logger name="Audit.Authentication">
        <level value="Trace"/>
  </logger>

alexal · Posted 09-18-2018 08:01 AM

Where did you add these lines?

RupaJ · Posted 09-18-2018 08:08 AM

In logconfig.xml file in the path /opt/sas/config/Lev1/ObjectSpawner.

RupaJ · Posted 09-18-2018 08:02 AM

@alexal - Yes, PROC PERMTEST went successful for my login.

alexal · Posted 09-18-2018 08:12 AM

That is correct file unless object spawner is using another in logconfigloc. You do not need to run PROC PERMTEST, just enable sasauth-debug and restart the spawner. What you will see in the sasauth-debug log when the IWA/GSSAPI authentication fails?

RupaJ · Posted 09-18-2018 12:07 PM

Hello @alexal,

Looks like the GSS libraries are missing. What libraries shoudl I install?

20180918-08:12:41 Initializing gss

20180918-08:12:41 Attempting to load GSSAPI library: libvas-gssapi.so

20180918-08:12:41 Attempting to load GSSAPI library: /opt/quest/lib64/libvas-gssapi.so

20180918-08:12:41 Attempting to load GSSAPI library: libgssapi_krb5.so

20180918-08:12:41 Attempting to load GSSAPI library: libgssapi.so

20180918-08:12:41 Attempting to load GSSAPI library: libgss.so

20180918-08:12:41 Could not load a GSSAPI library.

20180918-08:12:41 Could not initialize authentication method gss

20180918-08:12:41 GSS could not be loaded.

20180918-08:12:41 Using maxtries: 5

20180918-08:12:41 Using maxtries period: 60

20180918-08:12:41 Using maxtries wait: 300

20180918-08:12:41 GSS is not available to process authenticate request.

20180918-08:12:41 Request failed: 'GSS is not available.'

Thanks for your response!

alexal · Posted 09-18-2018 02:48 PM

@RupaJ,

As I responded to you in the technical support track, it appears you do not have any GSSAPI libraries installed on the system. What are you using for authentication? SSSD or something else? If SSSD, then you have to install sssd-krb5-common. If something else, then you have to adjust LD_LIBRARY_PATH.

PaulHomes · Posted 09-18-2018 08:02 PM

As @alexal suggested, installing sssd-krb5-common will pull in additional packages including the standard open source GSSAPI libraries.

In terms of specific packages, in my environment /usr/lib64/libgssapi_krb5.so is a symlink (provided by the package krb5-devel) to libgssapi_krb5.so.2.2 (provided by the package krb5-libs). The krb5-libs package is one of the dependencies of sssd-krb5-common.

A while ago I was having trouble with a missing /usr/lib64/libgssapi_krb5.so -> libgssapi_krb5.so.2.2 symlink so created it manually. Later on I found that the krb5-devel package provides it.

I only use realmd to provide the basic setup for IWA on Linux now as I find it makes it significantly easier: https://platformadmin.com/blogs/paul/2015/07/active-directory-authentication-for-sas-on-linux-with-r... (I just updated the blog post to add a note about krb5-devel)