BookmarkSubscribeRSS Feed
jwward65
Obsidian | Level 7

We have muliple domains at our organization.  We have IWA implemented and everyone on the same domain as the SAS servers use IWA on the applications without any issue.  

 

However, IWA doesn't work for our other domains.  If we have the secondary users enter thier credentials in the EG profile rather than use IWA, they are able to get into EG, but when trying to start an ObjectSpawner (expand SASApp), it times-out saying it's not a valid login.

 

SAS support had suggested defining 2 DefaultAuth logins for the user profile, one with DOMAIN\username and one just username (even though the application warns not to do that).  With this configuration, when they try to login either with IWA or by using credentials, can get into EG, but user crashes all the ObjectSpawners on all compute nodes.

 

That all being said, does anyone have any suggestions.  SAS support is also stumped on this issue and I find it difficult to believe that we are the only SAS client that uses multiple domains.

 

Thanks for any assistance anyone can provide!!!

John

3 REPLIES 3
alexal
SAS Employee

@jwward65,

 

This is Windows or Linux? Also, I want to know your track number.

jwward65
Obsidian | Level 7

Linux RH 7.3

 

#7612120188

alexal
SAS Employee

@jwward65,

 

Like I said on a track, we had a conversation with Red Hat about your problem and they confirmed that a new IdM functionality in RHEL version 7.4 (which has been released less than two weeks ago) has the ability to authenticate users from multiple Active Directory domains using short names:

 

SSSD supports user and group lookups and authentication with short names in AD environments

 

Previously, the System Security Services Daemon (SSSD) supported user names without the domain component, also called short names, for user and group resolution and authentication only when the daemon was joined to a standalone domain. Now, you can use short names for these purposes in all SSSD domains in these environments:

 

  • On clients joined to Active Directory (AD)
  • In Identity Management (IdM) deployments with a trust relationship to an AD forest

The output format of all commands is always fully-qualified even when using short names. This feature is enabled by default after you set up a domain's resolution order list in one of the following ways (listed in order of preference):

 

  • Locally, by configuring the list using the domain_resolution_order option in the [sssd]section of the /etc/sssd/sssd.conf file
  • By using an ID view

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.4_Release_Notes/new_...

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • 1218 views
  • 2 likes
  • 2 in conversation