Hello friends, we are trying to implement SSO and trying to test it with metadata server as a first step. Object spawner are SPNs registered). We have keytab file with "sas installer id" as well. Sysadmin seems completed configuration from their side.
SAS 9.4 M5 Grid / Linux/ MIT kerberos/ AD/ LDAP
I generated kerberos ticket and have it on my desktop as well as on linux side.
KRB5CCNAME and KRB5_CONFIG environment variables has been assigned at windows side.
Now, when try to open sas mc with my id (userid) by selecting "use IWA (SSO)" i am receiving below error.
The application could not log on to the server. IWA failed.
Access denied. NTLM authentication is not supported.
metadata log showing "NTLM authentication is not supported" as well...
Any direction??? Thank you.
Infect SAS documents says that "When you use IWA on UNIX, only Kerberos connections are supported (there is no support for NTLM on UNIX)", and as you mentioned my errors telling SAS still picking NTLM but I am not sure what needs to be done to tell SAS DO NOT USE NTLM,
basically you need to remove the "NTLM" strings from the metadata definitions, leaving only "Kerberos".
And you need to ensure the Kerberos TGTs with the keytab.
The best is to refer to @StuartRogers 's papers. He is the MAN for those topics.
Additionally, in SAS doc:
You are getting the message about NTML authentication because GSSAPI authentication has failed and it fall back to NTLM, which is next in the list. SAS does not support NTLM authentication. SEC_E_TARGET_UNKNOWN is a GSSAPI error meaning that client cannot be found in the Kerberos database. Are you sure you have created SAS/ SPN?
Thanks Alex, our sys admin team trying to figure out if they have set that correctly. For me it doesn't look like as i am not getting any output for below "setspn" cmd from my local machine. At same time i can ping metadata server fine from local machine (windows) + nslookup resolving to metadata hostname with that ip.
setspn -Q SASemail@example.com
No such SPN found
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.
Find more tutorials on the SAS Users YouTube channel.