cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
mkiran
Quartz | Level 8 mkiran
Quartz | Level 8
Go to Solution

MidTier : IWA Connection

Posted 06-20-2023 04:10 PM (972 views)

I am configurating Compute and Midtier using IWA connections and successful till Compute tier. Now checking the documentation for Midtier found out need following

1. a keytab file

2. SPN registration (midtier machine ) with AD

3. username SPN is mapped to (not sure what this is yet)

 

Can any one suggest I need any other tasks/steps to do to be able to complete IWA connections successfully on midtier (SASStudio and EVManager)?.

0 Likes
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
mkiran
Quartz | Level 8 mkiran
Quartz | Level 8

Re: MidTier : IWA Connection

Posted 02-20-2024 11:09 AM (415 views)  |   In reply to gwootton

enabling required Encryption on the Delegated user fixed the issue

View solution in original post

0 Likes
Reply
7 REPLIES 7
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: MidTier : IWA Connection

Posted 06-20-2023 04:44 PM (955 views)  |   In reply to mkiran
I don't think you need anything else, the keytab/SPN/User (UPN) is the identity that the middle tier uses to validate the supplied credential back to Active Directory, so once you've got a keytab tied to the HTTP/hostname SPN for your middle tier server(s) and update your configuration files accordingly you should be all set. I usually configure fallback authentication as well so I can still log on with user/password.

The steps for configuring the middle tier for IWA can be found here:

Support for Integrated Windows Authentication
https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1871e69gmwdr0n1o182krslc10p.htm
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
mkiran
Quartz | Level 8 mkiran
Quartz | Level 8

Re: MidTier : IWA Connection

Posted 06-20-2023 04:55 PM (948 views)  |   In reply to gwootton
Thank you!. I will get the required info from IT Support. for the fallback Authentication mechanism we need to have "Log on as a batch job" privilege's but IT is not yet ready to provide that 🙂
0 Likes
Reply
mkiran
Quartz | Level 8 mkiran
Quartz | Level 8

Re: MidTier : IWA Connection

Posted 07-14-2023 06:25 PM (907 views)  |   In reply to mkiran

@gwootton : I have received delegation approvals and keytab file from IT and while checking the keytab file I am receiving an error 

 

kinit -k -t FILE:C:\Temp\KeyTab\myweb.keytab HTTP/webserver.org.com@ORG.com -J-Djava.security.krb5.conf=C:\Windows\krb5.ini

 

Error:

Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at java.security.jgss/sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:295)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:275)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:344)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498)
at java.security.jgss/sun.security.krb5.internal.tools.Kinit.acquire(Kinit.java:248)
at java.security.jgss/sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:134)
at java.security.jgss/sun.security.krb5.internal.tools.Kinit.main(Kinit.java:96)

 

However, when I run simple kinit from C:\Program Files\SASHome\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin>kinit it is suceeded and krb ticket is creating on defalt location.

 

we have created the keytab file using below command

ktpass /princ HTTP/webserver.org.com@ORG.com /mapuser ORG\username /crypto AES256-SHA1 /pass ******* /ptype KRB5_NT_PRINCIPAL /out C:\Temp\KeyTab\webserver.org.com.keytab

 

and my krb5.ini entries are...

 

[libdefaults]
default_realm = ORG.COM
forwardable=true

[realms]
ORG.com = {
kdc = doamincontroller.org.com
}

[domain_realm]
org.com= ORG.COM
.org.com= ORG.COM

 

Documentation I am following :

https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1871e69gmwdr0n1o182krslc10p.htm

 

Can you please suggest how I could get around this issue?.

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: MidTier : IWA Connection

Posted 07-18-2023 04:01 PM (852 views)  |   In reply to mkiran

The error is complaining about the encryption types specified when creating the keytab file.

 

Your command specified an encryption type of AES256-SHA1. Based on this error, the default_tkt_enctypes configured in krb5.conf/ini does not include that encryption  (in this case you aren't specifying this so I'm not sure what default it's using). You could try adding the -e option to your kinit command to specify which encryption type you'd like rather than relying on the default setting.

 

For example kinit ... -e aes256-cts

--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
mkiran
Quartz | Level 8 mkiran
Quartz | Level 8

Re: MidTier : IWA Connection

Posted 07-24-2023 10:04 AM (836 views)  |   In reply to gwootton

@gwootton : Issue was with the AD user did not have required encryptions methods enabled, finally got around the issue and moving forward.

 

However, I am testing/validating my connection using the step '(Optional) Validate the Previous Steps" on below page but I am receiving message as I am logging as a public. I do have my user created with both DefaultAuth and web auth domains and metadata is authenticated properly with my user when I tried to login SASStudio client. attached is the error/warning from SASStudio1_1 wrapper.log

 

can you suggest where this could be going wrong?.

 

 

 

SASkira_0-1690207147552.png

 

https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/n1bhp608f0hsoen10i1vi0p9l5f7.htm

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: MidTier : IWA Connection

Posted 07-24-2023 12:31 PM (782 views)  |   In reply to mkiran
This message means authentication was successful but the user lookup in Metadata is not producing a result. As you are able to log in when you manually specify a user ID this suggests the user ID being provided by IWA/Kerberos does not match the user ID you enter manually. You may need to add the realm to the user definition in Metadata:

Windows User ID Formats
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n1xabf7u29o4lfn1l7l8ac7bfxme.htm
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
mkiran
Quartz | Level 8 mkiran
Quartz | Level 8

Re: MidTier : IWA Connection

Posted 02-20-2024 11:09 AM (416 views)  |   In reply to gwootton

enabling required Encryption on the Delegated user fixed the issue

0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • ‎06-20-2023 04:10 PM
  • 973 views
  • 0 likes
  • 2 in conversation