MidTier : IWA Connection

SASkira · Posted 06-20-2023 04:10 PM

I am configurating Compute and Midtier using IWA connections and successful till Compute tier. Now checking the documentation for Midtier found out need following

1. a keytab file

2. SPN registration (midtier machine ) with AD

3. username SPN is mapped to (not sure what this is yet)

Can any one suggest I need any other tasks/steps to do to be able to complete IWA connections successfully on midtier (SASStudio and EVManager)?.

gwootton · Posted 06-20-2023 04:44 PM

I don't think you need anything else, the keytab/SPN/User (UPN) is the identity that the middle tier uses to validate the supplied credential back to Active Directory, so once you've got a keytab tied to the HTTP/hostname SPN for your middle tier server(s) and update your configuration files accordingly you should be all set. I usually configure fallback authentication as well so I can still log on with user/password.

The steps for configuring the middle tier for IWA can be found here:

Support for Integrated Windows Authentication
https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1871e69gmwdr0n1o182krslc10p.htm

--
Greg Wootton | Principal Systems Technical Support Engineer

SASkira · Posted 06-20-2023 04:55 PM

Thank you!. I will get the required info from IT Support. for the fallback Authentication mechanism we need to have "Log on as a batch job" privilege's but IT is not yet ready to provide that 🙂

SASkira · Posted 07-14-2023 06:25 PM

@gwootton : I have received delegation approvals and keytab file from IT and while checking the keytab file I am receiving an error

kinit -k -t FILE:C:\Temp\KeyTab\myweb.keytab HTTP/webserver.org.com@ORG.com -J-Djava.security.krb5.conf=C:\Windows\krb5.ini

Error:

Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at java.security.jgss/sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:295)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:275)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:344)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498)
at java.security.jgss/sun.security.krb5.internal.tools.Kinit.acquire(Kinit.java:248)
at java.security.jgss/sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:134)
at java.security.jgss/sun.security.krb5.internal.tools.Kinit.main(Kinit.java:96)

However, when I run simple kinit from C:\Program Files\SASHome\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin>kinit it is suceeded and krb ticket is creating on defalt location.

we have created the keytab file using below command

ktpass /princ HTTP/webserver.org.com@ORG.com /mapuser ORG\username /crypto AES256-SHA1 /pass ******* /ptype KRB5_NT_PRINCIPAL /out C:\Temp\KeyTab\webserver.org.com.keytab

and my krb5.ini entries are...

[libdefaults]
default_realm = ORG.COM
forwardable=true

[realms]
ORG.com = {
kdc = doamincontroller.org.com
}

[domain_realm]
org.com= ORG.COM
.org.com= ORG.COM

Documentation I am following :

https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1871e69gmwdr0n1o182krslc10p.htm

Can you please suggest how I could get around this issue?.

gwootton · Posted 07-18-2023 04:01 PM

The error is complaining about the encryption types specified when creating the keytab file.

Your command specified an encryption type of AES256-SHA1. Based on this error, the default_tkt_enctypes configured in krb5.conf/ini does not include that encryption (in this case you aren't specifying this so I'm not sure what default it's using). You could try adding the -e option to your kinit command to specify which encryption type you'd like rather than relying on the default setting.

For example kinit ... -e aes256-cts

--
Greg Wootton | Principal Systems Technical Support Engineer

SASkira · Posted 07-24-2023 10:04 AM

@gwootton : Issue was with the AD user did not have required encryptions methods enabled, finally got around the issue and moving forward.

However, I am testing/validating my connection using the step '(Optional) Validate the Previous Steps" on below page but I am receiving message as I am logging as a public. I do have my user created with both DefaultAuth and web auth domains and metadata is authenticated properly with my user when I tried to login SASStudio client. attached is the error/warning from SASStudio1_1 wrapper.log

can you suggest where this could be going wrong?.

https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/n1bhp608f0hsoen10i1vi0p9l5f7.htm

gwootton · Posted 07-24-2023 12:31 PM

This message means authentication was successful but the user lookup in Metadata is not producing a result. As you are able to log in when you manually specify a user ID this suggests the user ID being provided by IWA/Kerberos does not match the user ID you enter manually. You may need to add the realm to the user definition in Metadata:

Windows User ID Formats
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n1xabf7u29o4lfn1l7l8ac7bfxme.htm

--
Greg Wootton | Principal Systems Technical Support Engineer

MidTier : IWA Connection

Re: MidTier : IWA Connection

Re: MidTier : IWA Connection

Re: MidTier : IWA Connection

Re: MidTier : IWA Connection

Re: MidTier : IWA Connection

Re: MidTier : IWA Connection