Architecting, installing and maintaining your SAS environment

ObjectSpawner Authentication for Secondary Domain

Reply
New Contributor
Posts: 2

ObjectSpawner Authentication for Secondary Domain

We have muliple domains at our organization.  We have IWA implemented and everyone on the same domain as the SAS servers use IWA on the applications without any issue.  

 

However, IWA doesn't work for our other domains.  If we have the secondary users enter thier credentials in the EG profile rather than use IWA, they are able to get into EG, but when trying to start an ObjectSpawner (expand SASApp), it times-out saying it's not a valid login.

 

SAS support had suggested defining 2 DefaultAuth logins for the user profile, one with DOMAIN\username and one just username (even though the application warns not to do that).  With this configuration, when they try to login either with IWA or by using credentials, can get into EG, but user crashes all the ObjectSpawners on all compute nodes.

 

That all being said, does anyone have any suggestions.  SAS support is also stumped on this issue and I find it difficult to believe that we are the only SAS client that uses multiple domains.

 

Thanks for any assistance anyone can provide!!!

John

SAS Employee
Posts: 319

Re: ObjectSpawner Authentication for Secondary Domain

@jwward65,

 

This is Windows or Linux? Also, I want to know your track number.

New Contributor
Posts: 2

Re: ObjectSpawner Authentication for Secondary Domain

Linux RH 7.3

 

#7612120188

SAS Employee
Posts: 319

Re: ObjectSpawner Authentication for Secondary Domain

@jwward65,

 

Like I said on a track, we had a conversation with Red Hat about your problem and they confirmed that a new IdM functionality in RHEL version 7.4 (which has been released less than two weeks ago) has the ability to authenticate users from multiple Active Directory domains using short names:

 

SSSD supports user and group lookups and authentication with short names in AD environments

 

Previously, the System Security Services Daemon (SSSD) supported user names without the domain component, also called short names, for user and group resolution and authentication only when the daemon was joined to a standalone domain. Now, you can use short names for these purposes in all SSSD domains in these environments:

 

  • On clients joined to Active Directory (AD)
  • In Identity Management (IdM) deployments with a trust relationship to an AD forest

The output format of all commands is always fully-qualified even when using short names. This feature is enabled by default after you set up a domain's resolution order list in one of the following ways (listed in order of preference):

 

  • Locally, by configuring the list using the domain_resolution_order option in the [sssd]section of the /etc/sssd/sssd.conf file
  • By using an ID view

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.4_Release_Notes/new_...

Ask a Question
Discussion stats
  • 3 replies
  • 174 views
  • 1 like
  • 2 in conversation