I am trying to set up IWA for the desktop clients(windows). Now my metadata /midtier and compute are on RHEL 7 servers. Meta and Midtier are on one machine, with compute on another server. SAS 9.4M5 is installed btw.
Now I have completed the prerequisites for setting up IWA which are
Unix host joining the AD
Creating the service account , UPN,SPN
Generating the keytab file.
Adding the KRB5_KTNAME env variable and restart the services.
After completing all the above, I tried testing if the IWA is working.
Checked the Integrated windows authentication checkbox. In the advanced setting security package is "Negiciate:, SPN is the custom SPN that we have and Security Package list is "Kerberos,NTLN".
I have the same thing mentinoed above for the workspace server properties too.
Now I am able to connect to the SAS Enterprise guide with the profile , however my workspace server validation is failing with below error.
[9/14/18 11:35 AM] INFO: Starting extended validation for Workspace server (level 1) - Making a connection
[9/14/18 11:35 AM] SEVERE: Access denied.
[9/14/18 11:35 AM] SEVERE: The launch of server SASApp - Workspace Server for user failed.
[9/14/18 11:35 AM] SEVERE: The application could not log on to the server "sastest.local:8591". Integrated Windows authentication failed.
This is what I see in the objectspawner logs.
2018-09-14T11:35:10,227 WARN  : user- The destination buffer size was not sufficient for the requested password.
2018-09-14T11:35:10,228 ERROR  :user - Access denied.
2018-09-14T11:35:10,228 ERROR  :user - The launch of server SASApp - Workspace Server for user failed.
Note - I have removed user and server names.
Now regarding the SPN, I have a question. How do I create a default SPN? My IT guy has created xyz as service account and created XYZ/sasmeta.local , XYZ/sastest.local , XYZ/sasmeta and XYZ/sastest as SPNs (both FQDN and shortnames). However I need to give SPN as "XYZ/sasmeta.local in order to connect to SASEG. It is not connecting if I leave the SPN blank when I connect to SASEG.
So 2 questions
Why I am getting that error when I am trying to validate the workspace server?
Default SPN -- How to create?
How do I create a default SPN?
Registering SPNs. The client must know the server's service principal name (SPN). In a standard configuration, this is transparent. Clients expect (and know how to construct) a default SPN in the format SAS/machine (for example, SAS/machineA.na.company.com), so you do not have to explicitly provide the SPN.
Audit.Authentication logger should help with debugging GSSAPI, please add this XML to metadata/object spawner logging configuration (do not forget to restart metadata/object spawner after that):
<logger name="Audit.Authentication"> <level value="Trace"/> </logger>
In response to the -SSPI option, I checked the object spawner startup script and it does have the -SSPI option. I guess only on windows the default is to start with -nosspi :-(. So that is ruled out too.
Any help on this would be great. Thanks!
As @alexal mentioned you should be able to configure the server so you don't need to specify any extra details on the client other than the basic host name, port and to use IWA. SPNs should be added in AD so the client user doesn't have to worry about them.
Just so you know I get that warning message in my Linux + IWA lab environment when IWA connection is successful:
2018-09-18T10:48:43,814 INFO  :paul - New client connection (57834) accepted from server port 8591 for IWA user paul. Encryption level is Credentials using encryption algorithm AES. Peer IP address and port are [192.168.2.101]:52435 for APPNAME=SAS Enterprise Guide. 2018-09-18T10:48:43,859 WARN  :paul - The destination buffer size was not sufficient for the requested password. 2018-09-18T10:48:43,884 INFO  :paul - Created process 14210 using credentials paul (child id 94). 2018-09-18T10:48:44,490 INFO  :sas - New out call client connection (57848) for launched server (child 94). Peer IP address and port are [192.168.2.27]:54050. 2018-09-18T10:48:44,497 INFO  :sas - Client connection 57834 for user paul closed. 2018-09-18T10:49:41,026 INFO  :sas - Client connection 57848 for user paul closed. 2018-09-18T10:49:41,152 INFO  :sas - Process 14210 owned by user paul (child id 94) has ended.
I don't know why I am getting that buffer size warning but it does not seem to have any obvious impact. If anyone else knows how to get rid of it I'd be keen to hear. 🙂
So I think you need to focus on that "Access denied" error. Have you added the Audit.Authentication trace level logging for the object spawner as @alexal suggested?
That is correct file unless object spawner is using another in logconfigloc. You do not need to run PROC PERMTEST, just enable sasauth-debug and restart the spawner. What you will see in the sasauth-debug log when the IWA/GSSAPI authentication fails?
Looks like the GSS libraries are missing. What libraries shoudl I install?
20180918-08:12:41 Initializing gss
20180918-08:12:41 Attempting to load GSSAPI library: libvas-gssapi.so
20180918-08:12:41 Attempting to load GSSAPI library: /opt/quest/lib64/libvas-gssapi.so
20180918-08:12:41 Attempting to load GSSAPI library: libgssapi_krb5.so
20180918-08:12:41 Attempting to load GSSAPI library: libgssapi.so
20180918-08:12:41 Attempting to load GSSAPI library: libgss.so
20180918-08:12:41 Could not load a GSSAPI library.
20180918-08:12:41 Could not initialize authentication method gss
20180918-08:12:41 GSS could not be loaded.
20180918-08:12:41 Using maxtries: 5
20180918-08:12:41 Using maxtries period: 60
20180918-08:12:41 Using maxtries wait: 300
20180918-08:12:41 GSS is not available to process authenticate request.
20180918-08:12:41 Request failed: 'GSS is not available.'
Thanks for your response!
As I responded to you in the technical support track, it appears you do not have any GSSAPI libraries installed on the system. What are you using for authentication? SSSD or something else? If SSSD, then you have to install sssd-krb5-common. If something else, then you have to adjust LD_LIBRARY_PATH.
As @alexal suggested, installing sssd-krb5-common will pull in additional packages including the standard open source GSSAPI libraries.
In terms of specific packages, in my environment /usr/lib64/libgssapi_krb5.so is a symlink (provided by the package krb5-devel) to libgssapi_krb5.so.2.2 (provided by the package krb5-libs). The krb5-libs package is one of the dependencies of sssd-krb5-common.
A while ago I was having trouble with a missing /usr/lib64/libgssapi_krb5.so -> libgssapi_krb5.so.2.2 symlink so created it manually. Later on I found that the krb5-devel package provides it.
I only use realmd to provide the basic setup for IWA on Linux now as I find it makes it significantly easier: https://platformadmin.com/blogs/paul/2015/07/active-directory-authentication-for-sas-on-linux-with-r... (I just updated the blog post to add a note about krb5-devel)
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.
Find more tutorials on the SAS Users YouTube channel.