09-26-2011 06:22 PM
I defined a library in the SAS management console that uses Windows Authentication.
The definition works fine in Enterprise Guide using the libname declaration ( LIBNAME core META library="COREDB")
However, the same definition fails in the stored process server with this error. I can't stop the Stores Process Server from trying to connect with that domain as oppose to the user domain.
I am not sure if the sassrv account has to be granted delegation system in the OS (Windows 2008 Server 64).
SYSDBMSG=ODBC: [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
09-26-2011 09:57 PM
There are a number of things that need to be in place to get a SAS platform deployment taking full advantage of integrated windows authentication (IWA). I have only just recently finished helping a customer get IWA working with EG, SAS app servers, server side UNC path and SQL Server library access in a multi-environment, multi-app-server, multi-node clustered platform with lots of users spread over a few AD domains. Whilst it took a fair bit of prep, methodical testing and troubleshooting it did work well.
If you haven't already seen them I would review the following resources for starters:
There are a number of things that need to be in place for IWA to work well:
When I get the time I was planning on doing some blog posts about my experiences, but that might not be for a little while yet.
I'll start by asking how confident are you that your EG use of the library was using IWA and not cached/stored credentials? Did you review the metadata server, object spawner and sql server connection logs to confirm that IWA connections were being done? An initial SAS 9.2 installation does not provide a standard workspace server configured for IWA so you would have had to specifically configure this. I am wondering if your EG test works because IWA wasn't attempted whereas the stored process server test did attempt IWA and failed and that perhaps the environment does not have everything configured yet to allow IWA?
To help you with this some more information would be required:
I know that there are a lot of questions here, but there are lots of things that need to be aligned to get IWA working nicely across the entire platform.