I don't know if this is the right place to ask this question. If it's not, please let me know where to move it.
Has anyone else had the problem of the SAS Personal Login Manager not updating a password in metadata?
Here's the problem: A user changes their password in a system on the system itself and in the corresponding authdomain in the SAS Personal Login Manager. It might be their login/Active Directory password, which we tell them to store in DefaultAuth, or it might be a database with its own authdomain.
When they try to use the authdomain, authentication fails. We usually ask them to re-enter the password in Login Manager, and about 80% of the time that solves the problem. We assume they just mistyped the password. If that doesn't work the first time, we ask them to type the password into Notepad, where they can see it, and then copy and paste it into the destination system to make sure it works there. Sometimes the password isn't what they think it is. If the pasted password works directly on the destination system, we ask them to paste it into the Personal Login Manager and try again. That solves maybe another 14% of the problems.
But occasionally, a few times a month, that doesn't work either. I then ask them to use the command line SetPassword utility in the SASPlatformObjectFramework directory (I've wrapped a script around it so they don't have to know the location or syntax). So far, that has always worked.
I couldn't find any problem reports about the Personal Login Manager, but I might have missed something. Has anyone else noticed this problem?
We're upgrading from 9.4m5 to 9.4m7 later this year, and hope that will make the problem go away.
As far as I know, there is no programmable API usable outside of SAS and no web interface to the password manager. The Personal Login Manager, Enterprise Guide, the command line utility, and the data step metadata functions are the only way to change passwords. Maybe the SAS Management Console as well, but most users do not have that installed. I must be missing something. How do users with only SAS Studio or AMO change their authdomain passwords?
Transferring the task to change her/his own password in metadata to the end user might be risky. As far as I know, SAS doesn't publicly document coding APIs to insert password string into the metadata repository. If you search thorougly this very forum archives, you might find interesting pieces of code (...) to guide you in that way, riskier still in my opinion.
In your case, a new approach could be useful : have you, for instance, considered setting up Single Sign On (SSO) authentication like IWA/Kerberos or SAML between Windows and the SAS servers ? Taking such a step removes the need to store Windows AD credentials in metadata, merely propagating a Windows personal token onto the SAS servers when a SAS session is launched. Sometimes this is not feasible, unfortunately. Then, instead of updating the password which spares ... retyping the password , you can also train your SAS users with Keepass (free) or any Digital vault that can safely store a login/password and type it *automatically* (that is, via a fixed keystroke) into the user/pwd field.
The same logic goes for DBMS user/logins : choosing SSO between SAS and the external Database or using a personal password manager to fill in the password when it is needed.
Storing a password copy in metadata is not recommended unless you have a viable method/tool to change it.
Sorry if these general considerations don't address your specific points, I think it's worth sometimes to reconsider old habits and usual processes. FYI, SAS does provide a Web UI that allows to change a login password. It's called SAS Web Environment Manager Administration : https://documentation.sas.com/doc/en/bicdc/9.4/evadmug/p1oo51oqq6tuchn1si35myscl4x4.htm
I won't elaborate further with its requirements, there are Roles in metadata to access the Web Environment Manager. But, like the SAS Management Console, its rather an administration powertool than a user-friendly utility.
SAS provides and documents the SetPassword command line utility, which is in "C:\Program Files\SASHome\SASPlatformObjectFramework\9.4" or its equivalent on your OS. It was recommended to me by SAS Tech Support.
We're working on improved inter-system authentication, but by policy we will not have SSO on databases containing patient information.
Thank you for mentioning the environment manager. I will look into it.
Here are my thoughts on your problem
1. "We're upgrading from 9.4m5 to 9.4m7 later this year, and hope that will make the problem go away."
This version of SAS has the SAS EG 8.x and login manager is no more available in the SAS EG.. It is in the install directory
2.For changing login /Windows/AD passwords it is better to use the operating system utilities rather than SAS login manager.
As a corollary for default auth password should not be stored in the metadata. SAS does not need any users login passwords to be stored in the metadata.
3.What remains is that user must be using login manager to store their database access passwords for various authdomains.
A good practice is to assign privileges/ access /roles using groups. There would be no need to store password in the metadata.
Following this practice there would be hardly any need to store passwords in the metadata.
4.Changing user behavior / practices is not easy. But you have a silvery lining. The move to a newer version of the SAS.
Suggest that make use of this opportunity and try doing away user password storage in metadata.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.
Find more tutorials on the SAS Users YouTube channel.