cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
kumarsandip975
Pyrite | Level 9 kumarsandip975
Pyrite | Level 9

Kerberos setup in SAS 9.4 M8(Hosted on Windows).

Posted Sunday (145 views)

Dear Community,

 

I have a very basic question, but I guess it is important to decide when setting up kerberos in the sas 9.4 m8 environment(running on windows machine). 

 

We have services (object spawner) is running with local system, as per document https://documentation.sas.com/doc/en/bicdc/9.4/bisecag/p1jg2eif6qym5qn1co79sdclcyt7.htm , 

 

The delegation privilege is granted to the SAS Object Spawner.

  • If the SAS Object Spawner is running on Windows under the local system account, select the host machine in Active Directory under Computers. On the Delegation tab, select the Trust this computer for delegation to specified services only option.
  • If the SAS Object Spawner is running on Windows under a domain account, select the user account in Active Directory, typically under Users. On the Delegation tab, select the Trust this user for delegation to the specified services only option.

My question is - what options is really recommended, local system account or domain account ? 

0 Likes
Reply
2 REPLIES 2
SASKiwi
PROC Star SASKiwi
PROC Star

Re: Kerberos setup in SAS 9.4 M8(Hosted on Windows).

Posted Sunday (82 views)  |   In reply to kumarsandip975

We've always used the local system account as it will always have the required permissions to run any services.

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Kerberos setup in SAS 9.4 M8(Hosted on Windows).

Posted Monday (50 views)  |   In reply to kumarsandip975
I think this is a question of security posture. In this example were you to use local system you are allowing local system to delegate to specific services, so this would apply to any service running as local system and not just the object spawner. If you wanted to limit this delegation permission only to the object spawner, you'd need to use a service account.
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • Sunday
  • 146 views
  • 0 likes
  • 3 in conversation