Hello friends, we are trying to implement SSO and trying to test it with metadata server as a first step. Object spawner are SPNs registered). We have keytab file with "sas installer id" as well. Sysadmin seems completed configuration from their side.
SAS 9.4 M5 Grid / Linux/ MIT kerberos/ AD/ LDAP
I generated kerberos ticket and have it on my desktop as well as on linux side.
KRB5CCNAME and KRB5_CONFIG environment variables has been assigned at windows side.
Now, when try to open sas mc with my id (userid) by selecting "use IWA (SSO)" i am receiving below error.
The application could not log on to the server. IWA failed.
Access denied. NTLM authentication is not supported.
metadata log showing "NTLM authentication is not supported" as well...
Any direction??? Thank you.
Hello @woo,
maybe I am wrong, but I think NTLM is not native to Linux, but Windows (servers), this means that you would need to configure in SAS pure Kerberos connectivity, removing the NTLM bits from the string.
Thanks Juan.
Infect SAS documents says that "When you use IWA on UNIX, only Kerberos connections are supported (there is no support for NTLM on UNIX)", and as you mentioned my errors telling SAS still picking NTLM but I am not sure what needs to be done to tell SAS DO NOT USE NTLM,
Hello @woo,
basically you need to remove the "NTLM" strings from the metadata definitions, leaving only "Kerberos".
And you need to ensure the Kerberos TGTs with the keytab.
The best is to refer to @StuartRogers 's papers. He is the MAN for those topics.
http://support.sas.com/resources/papers/proceedings13/476-2013.pdf
https://support.sas.com/resources/papers/proceedings16/SAS3443-2016.pdf
Additionally, in SAS doc:
Also, if I remove NTLM string and keep below settings in place,
security package: Negotiate
Security package list: Kerberos
it throws below error,
SEC_E_TARGET_UNKNOWN
security package failed while authenticating a user
@woo,
You are getting the message about NTML authentication because GSSAPI authentication has failed and it fall back to NTLM, which is next in the list. SAS does not support NTLM authentication. SEC_E_TARGET_UNKNOWN is a GSSAPI error meaning that client cannot be found in the Kerberos database. Are you sure you have created SAS/ SPN?
Thanks Alex, our sys admin team trying to figure out if they have set that correctly. For me it doesn't look like as i am not getting any output for below "setspn" cmd from my local machine. At same time i can ping metadata server fine from local machine (windows) + nslookup resolving to metadata hostname with that ip.
setspn -Q SAS/xyz@abc.com
No such SPN found
Hello @woo
How did you fix this error? I am getting the same error when logging in to SAS MC with IWA.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.