03-17-2015 02:56 AM
When you use a batch-server or connect-server with a SAS EIP installation we noticed that there is no authentication (password validation to metadata server) done.
It uses the OS user-id as the identified user and proceeds with that one as the metadata context.
There is no IWA configured. It is Unix environment.
The WS is setup as host-authentication. With that one, you have to specify the OS user twice. Once for the metadata connection and another following after that for the OS SAS session.
The last one gets cached (stored possible to be breached) in the SAS metadata. This is different as the batch/connect server. A strange difference between those two
Anyone found some information this is how it is designed and that it should work that way. Underpinning compliancy reasons.
03-21-2015 09:04 PM
I too have wondered why when you schedule a batch job in SAS Management Console that you have to enter your username/password again (both SAS 9.3 and 9.4). Your explanation makes perfect sense.
Our environment is Windows and our SMC connection uses IWA. It would be much better if batch scheduling could use those delegated credentials.
However the annoyances go further. If you change your password then you have to go and reschedule all of your batch jobs otherwise they wont run (we use LSF as our batch scheduler). Fortunately we only have a few batch jobs so it is not too big a deal. If you have a lot them though I imagine it would be a major inconvenience.