cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
woo
Barite | Level 11 woo
Barite | Level 11

NTLM authentication is not supported

Posted 07-24-2018 09:36 PM (4060 views)

Hello friends, we are trying to implement SSO and trying to test it with metadata server as a first step. Object spawner are SPNs registered). We have keytab file with "sas installer id" as well. Sysadmin seems completed configuration from their side. 

SAS 9.4 M5 Grid / Linux/ MIT kerberos/ AD/ LDAP

 

I generated kerberos ticket and have it on my desktop as well as on linux side. 

 

KRB5CCNAME and KRB5_CONFIG environment variables has been assigned at windows side. 

 

Now, when try to open sas mc with my id (userid) by selecting "use IWA (SSO)" i am receiving below error. 

 

The application could not log on to the server. IWA failed. 

Access denied. NTLM authentication is not supported. 

 

metadata log showing "NTLM authentication is not supported" as well...

 

Any direction??? Thank you. 

 

Reply
8 REPLIES 8
JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: NTLM authentication is not supported

Posted 07-25-2018 03:32 AM (4034 views)  |   In reply to woo

Hello @woo,

 

maybe I am wrong, but I think NTLM is not native to Linux, but Windows (servers), this means that you would need to configure in SAS pure Kerberos connectivity, removing the NTLM bits from the string.

0 Likes
Reply
woo
Barite | Level 11 woo
Barite | Level 11

Re: NTLM authentication is not supported

Posted 07-25-2018 08:27 AM (4021 views)  |   In reply to JuanS_OCS

Thanks Juan.

 

Infect SAS documents says that "When you use IWA on UNIX, only Kerberos connections are supported (there is no support for NTLM on UNIX)", and as you mentioned my errors telling SAS still picking NTLM but I am not sure what needs to be done to tell SAS DO NOT USE NTLM,

 

Reply
JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: NTLM authentication is not supported

Posted 07-25-2018 10:17 AM (4013 views)  |   In reply to woo

Hello @woo,

 

basically you need to remove the "NTLM" strings from the metadata definitions, leaving only "Kerberos".

And you need to ensure the Kerberos TGTs with the keytab.

 

The best is to refer to @StuartRogers 's papers. He is the MAN for those topics.

 

http://support.sas.com/resources/papers/proceedings13/476-2013.pdf

https://support.sas.com/resources/papers/proceedings16/SAS3443-2016.pdf

 

Additionally, in SAS doc:

http://support.sas.com/documentation/cdl/en/bisecag/63082/HTML/default/viewer.htm#n1d1zo1jsf2o0en1eh...

http://support.sas.com/documentation/cdl/en/bisecag/61133/HTML/default/viewer.htm#a003276221.htm#a00...

0 Likes
Reply
woo
Barite | Level 11 woo
Barite | Level 11

Re: NTLM authentication is not supported

Posted 07-25-2018 02:22 PM (3997 views)  |   In reply to JuanS_OCS

Also, if I remove NTLM string and keep below settings in place,

 

security package: Negotiate

Security package list: Kerberos

 

it throws below error,

SEC_E_TARGET_UNKNOWN

security package failed while authenticating a user

0 Likes
Reply
alexal
SAS Employee alexal
SAS Employee

Re: NTLM authentication is not supported

Posted 07-25-2018 02:42 PM (3991 views)  |   In reply to woo

@woo,

 

You are getting the message about NTML authentication because GSSAPI authentication has failed and it fall back to NTLM, which is next in the list. SAS does not support NTLM authentication. SEC_E_TARGET_UNKNOWN is a GSSAPI error meaning that client cannot be found in the Kerberos database. Are you sure you have created SAS/ SPN?

Reply
woo
Barite | Level 11 woo
Barite | Level 11

Re: NTLM authentication is not supported

Posted 07-25-2018 03:09 PM (3986 views)  |   In reply to alexal

Thanks Alex, our sys admin team trying to figure out if they have set that correctly. For me it doesn't look like as i am not getting any output for below "setspn" cmd from my local machine. At same time i can ping metadata server fine from local machine (windows) + nslookup resolving to metadata hostname with that ip.

 

setspn -Q SAS/xyz@abc.com

No such SPN found

 

 

0 Likes
Reply
alexal
SAS Employee alexal
SAS Employee

Re: NTLM authentication is not supported

Posted 07-26-2018 08:17 AM (3952 views)  |   In reply to woo

@woo,

 

Yes, you have to fix a problem with SAS/ SPN. Let me know if you need any help after that.

Reply
RupaJ
Lapis Lazuli | Level 10 RupaJ
Lapis Lazuli | Level 10

Re: NTLM authentication is not supported

Posted 12-01-2020 03:11 PM (2195 views)  |   In reply to alexal

Hello @woo 

 

How did you fix this error? I am getting the same error when logging in to SAS MC with IWA. 

 

Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 8 replies
  • ‎07-24-2018 09:36 PM
  • 4061 views
  • 5 likes
  • 4 in conversation