08-17-2017 09:42 AM
We have muliple domains at our organization. We have IWA implemented and everyone on the same domain as the SAS servers use IWA on the applications without any issue.
However, IWA doesn't work for our other domains. If we have the secondary users enter thier credentials in the EG profile rather than use IWA, they are able to get into EG, but when trying to start an ObjectSpawner (expand SASApp), it times-out saying it's not a valid login.
SAS support had suggested defining 2 DefaultAuth logins for the user profile, one with DOMAIN\username and one just username (even though the application warns not to do that). With this configuration, when they try to login either with IWA or by using credentials, can get into EG, but user crashes all the ObjectSpawners on all compute nodes.
That all being said, does anyone have any suggestions. SAS support is also stumped on this issue and I find it difficult to believe that we are the only SAS client that uses multiple domains.
Thanks for any assistance anyone can provide!!!
08-18-2017 08:50 AM
Like I said on a track, we had a conversation with Red Hat about your problem and they confirmed that a new IdM functionality in RHEL version 7.4 (which has been released less than two weeks ago) has the ability to authenticate users from multiple Active Directory domains using short names:
SSSD supports user and group lookups and authentication with short names in AD environments
Previously, the System Security Services Daemon (SSSD) supported user names without the domain component, also called short names, for user and group resolution and authentication only when the daemon was joined to a standalone domain. Now, you can use short names for these purposes in all SSSD domains in these environments:
The output format of all commands is always fully-qualified even when using short names. This feature is enabled by default after you set up a domain's resolution order list in one of the following ways (listed in order of preference):