I am configurating Compute and Midtier using IWA connections and successful till Compute tier. Now checking the documentation for Midtier found out need following
1. a keytab file
2. SPN registration (midtier machine ) with AD
3. username SPN is mapped to (not sure what this is yet)
Can any one suggest I need any other tasks/steps to do to be able to complete IWA connections successfully on midtier (SASStudio and EVManager)?.
@gwootton : I have received delegation approvals and keytab file from IT and while checking the keytab file I am receiving an error
kinit -k -t FILE:C:\Temp\KeyTab\myweb.keytab HTTP/webserver.org.com@ORG.com -J-Djava.security.krb5.conf=C:\Windows\krb5.ini
Error:
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at java.security.jgss/sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:295)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:275)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:344)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498)
at java.security.jgss/sun.security.krb5.internal.tools.Kinit.acquire(Kinit.java:248)
at java.security.jgss/sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:134)
at java.security.jgss/sun.security.krb5.internal.tools.Kinit.main(Kinit.java:96)
However, when I run simple kinit from C:\Program Files\SASHome\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin>kinit it is suceeded and krb ticket is creating on defalt location.
we have created the keytab file using below command
ktpass /princ HTTP/webserver.org.com@ORG.com /mapuser ORG\username /crypto AES256-SHA1 /pass ******* /ptype KRB5_NT_PRINCIPAL /out C:\Temp\KeyTab\webserver.org.com.keytab
and my krb5.ini entries are...
[libdefaults]
default_realm = ORG.COM
forwardable=true
[realms]
ORG.com = {
kdc = doamincontroller.org.com
}
[domain_realm]
org.com= ORG.COM
.org.com= ORG.COM
Documentation I am following :
https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1871e69gmwdr0n1o182krslc10p.htm
Can you please suggest how I could get around this issue?.
The error is complaining about the encryption types specified when creating the keytab file.
Your command specified an encryption type of AES256-SHA1. Based on this error, the default_tkt_enctypes configured in krb5.conf/ini does not include that encryption (in this case you aren't specifying this so I'm not sure what default it's using). You could try adding the -e option to your kinit command to specify which encryption type you'd like rather than relying on the default setting.
For example kinit ... -e aes256-cts
@gwootton : Issue was with the AD user did not have required encryptions methods enabled, finally got around the issue and moving forward.
However, I am testing/validating my connection using the step '(Optional) Validate the Previous Steps" on below page but I am receiving message as I am logging as a public. I do have my user created with both DefaultAuth and web auth domains and metadata is authenticated properly with my user when I tried to login SASStudio client. attached is the error/warning from SASStudio1_1 wrapper.log
can you suggest where this could be going wrong?.
https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/n1bhp608f0hsoen10i1vi0p9l5f7.htm
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.
Find more tutorials on the SAS Users YouTube channel.