08-16-2017 11:04 AM
Currently, I have an all Windows SAS environment ts1m4 (SAS EG, meta , process). I'm in the process to had a Unix process server and yes the question is about the authentication between Windows and Unix. My Unix admin don't want to install and configure PAM, because of the process involved(justification and paper work to get it accepted by the security dept), I will get to this process later as it could be a slow process, but in the meanwhile, I want to start working on the migration as soon as possible.
I was looking to use the authentication domain and was wondering if anyone used this path in working with mixed environment similar to mine and if there was a set back to use this method either at the security level or at the performance level or at any level for that matter.
08-17-2017 10:11 PM - edited 08-17-2017 10:24 PM
If your UNIX admins are unwilling or unable to configure the host for AD authentication with PAM then you might consider re-configuring your UNIX hosted SAS Workspace Server to use SAS Token Authentication. All of the SAS processes on the UNIX server will then run as a single local service account (e.g. sassrv). Whilst you will be able to use metadata access controls, be aware that this approach severely limits your ability to take advantage of UNIX file system access controls (without resorting to multiple servers and multiple service accounts etc).
It would be worth discussing this with both your UNIX admins and the security department, so that they are aware of, and accept, the security ramifications of using SAS Token Authentication vs host authentication for SAS Workspace Servers. Some people prefer to use SAS Token Authentication and some don't. Both approaches are fine as long as you are aware of, and accept, the pros and cons.
Configuring UNIX or Linux for Windows AD authentication is easier than it used to be. I like to use realmd - see Active Directory Authentication for SAS on Linux (with realmd) for more info.
For more information see the How to Configure SAS Token Authentication section of the SAS 9.4 Intelligence Platform: Security Administration Guide, as well as the linked pages in the See Also section.
08-18-2017 12:51 AM
Another messy option is to save the user's UNIX credentails in their SAS Metadata profile, then configure your UNIX Workspace server with something like UNIXAuth authentication domain. Downside is that your user's will need to update their password in the SAS Metedata everytime it changes on UNIX, People will forget, sessions will fail, blah, blah.... Your security department might also not be happy about the fact that UNIX credentails are retained outside of UNIX, but again, like @PaulHomes said, they have to pick their battle. There are however different ways to encrypt the credentails (at rest and in motion) with SAS Secure to calm their fears.
08-18-2017 01:07 AM
Else.....if you ommit the UNIX password from the user's Metadata profile, SAS Enterprise Guide should prompt you for it when trying to connect to the Workspace server. Downside is that the user will need to enter their password when making the connection, but your security department might be more comfortable since you are not storing UNIX credential outside of UNIX. The user also wouldn't need to update their password in the SAS metedata when it changes on UNIX. Pros...cons...pros...cons...
08-18-2017 02:22 AM
If you can't get yor UNIX system included in the AD with PAM, then move the metadata server to UNIX. That way at least users will know that their Data Warehouse (not UNIX) password is physically different from their "normal" password, but they only have to enter it once when starting their application. Otherwise they'll need to enter one password for metadata and one for the workspace servers.
Running SAS with a single system ID (SAS Token Authentication) should be avoided, as it makes (sensibly) managing your users next to impossible.
08-23-2017 03:09 PM
Thank you all for your input, we probably going to go the authdomain way as we already have our Oracle credential in it, and yes it has is pros and cons. Security Dept. are ok with it.