cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
nirolf
Calcite | Level 5 nirolf
Calcite | Level 5
Go to Solution

SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 07-01-2020 04:40 PM (1552 views)

HI,

 

I face an issue trying to set IWA auth for users. IWA is functional for the metadata server, but I am unable to start workspace via SAS EG.

 

My configuration :

 

- meta, compute on two separate Linux server (RH)

- Workspace server is bind to an LDAP directory via PAM.

- Kerberos binding to AD is functional: on metadata server and the app server - using SAS Integration Technologies Configuration tool I can conenct usink "Negociate" to Metadata, Object Spawner, but not to the Workspace Server

 

As you see below, the kerberos auth and delegation seems ok, but the workspace doesn't start.

 

I've tried all that I could find regarding this error (for example getent user.name@domain.com and getent USER.NAME@domain.com both work) to no avail.

 

2020-07-01T22:48:16,111 DEBUG [00000047] :user.name - IOM RETURN OMIProxy 0={compRef:7fba8520da20}->CompDtor()
2020-07-01T22:48:16,111 TRACE [00000047] :user.name - IOM LOGIC TKIOM: delete compRef=7fba8520da20 for OMIProxy
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name - Application-specific option lookup skipped because no application name is provided for client 11.
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name - Command being used is /sas/sasconfig/Lev1/SASAppOne/WorkspaceServer/WorkspaceServer.sh.
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name -    >noterminal< (Standard options)
2020-07-01T22:48:16,111 DEBUG [00000047] :user.name -    >netencryptalgorithm< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >SASProprietary<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >metaserver< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >srvsasmetak01t.company.com<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >metaport< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >8561<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >metarepository< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >Foundation<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >locale< (Client requirement)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >en_US<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >objectserver< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >objectserverparms< (Standard options)
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >protocol=bridge spawned spp=39532 cid=0 dnsmatch=srvsasappk01t.company.com pb classfactory=440196D4-90F0-11D0-9F41-00A024BB830C server=OMSOBJ:SERVERCOMPONENT/A504E8PI.AY00000A cel=credentials recon<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -  Environment variables are:
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >METAUSER<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >user.name@!*(generatedpassworddomain)*!<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -    >METAPASS<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name -       >********<
2020-07-01T22:48:16,112 DEBUG [00000047] :user.name - Obtained krb5 ccache handle: 7fba8801b8f0
2020-07-01T22:48:16,113 WARN  [00000047] :user.name - The destination buffer size was not sufficient for the requested password.
2020-07-01T22:48:16,124 DEBUG [00000047] :user.name - Freed krb5 ccache handle: 7fba8801b8f0
2020-07-01T22:48:16,124 ERROR [00000047] :user.name - Access denied.
2020-07-01T22:48:16,124 ERROR [00000047] :user.name - The launch of server SASAppOne - Workspace Server for user user.name failed.
2020-07-01T22:48:16,124 TRACE [00000047] :user.name - IOM FIRE-EVENT {compRef:7fba8520d960}->ObjectSpawner::ServerFailed():
 logicalServer=SASAppOne - Logical Workspace Server
 serverComponent=SASAppOne - Workspace Server

 

 

Here is the sasauth-debug.log:

 

20200701-22:14:04 KRB5CCNAME was not set; we'll see if something happens later
[...]
20200701-22:48:16 Authenticating user user.name via GSS
20200701-22:48:16 Context username: user.name@company.com
20200701-22:48:16 Context username length: 21
20200701-22:48:16 Server Name: SAS/srvsasappK01t.company.com@company.com
20200701-22:48:16 Unknown user when getting user attributes.
20200701-22:48:16 User user.name did not authenticate. Reason: 'Unspecified reason.' (gss)
20200701-22:48:16 Request failed: 'User did not authenticate.'
I am not sure about that warning about KRB5CCNAME, what should I set it to? I've seen this, but I don't seem to find a file named "krb5cc_*". My krb5.conf has by default this option:
default_ccache_name = KEYRING:persistent:%{uid}

 

 

Any ideas?

 

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 07-01-2020 05:23 PM (1510 views)  |   In reply to nirolf

@nirolf ,

 

20200701-22:48:16 Authenticating user user.name via GSS

I do not see any domains in the user name here. Are you sure you can authenticate on the server using only the user name without specifying a domain?

View solution in original post

0 Likes
6 REPLIES 6
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 07-01-2020 05:04 PM (1528 views)  |   In reply to nirolf

@nirolf ,

 

It looks like your Linux server isn't connected to Active Directory. What is the output of the following command?

 

getent passwd user.name

Also, we do not support keyrings, only file-based Kerberos tickets.

0 Likes
nirolf
Calcite | Level 5 nirolf
Calcite | Level 5

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 07-01-2020 05:19 PM (1521 views)  |   In reply to alexal

The server is connected to AD. Using SAS I can start thw Workspace Server with user.name@company.com but without IWA.

 

getent user.name@domain.com and getent USER.NAME@domain.com both work, and return:

 

user.name@company.com:*:1742386352:1112800513:User Name:/home/user.name@company.com:/bin/bash

 

I changed the krb5.conf to: default_ccache_name = FILE:/tmp/krb5cc_%{uid}

But it seems that the file /tmp/krb5cc_1742386352 gets created only if I run kinit -V user.name@COMPANY.COM. When connecting with EG for example I see this:

 

[12253] 1593637956.856010: Decrypted AP-REQ with server principal SAS/srvsasappK01t.company.com@company.com: rc4-hmac/03B7
[12253] 1593637956.856011: AP-REQ ticket: user.name@company.com -> SAS/srvsasappK01t.company.com@company.com, session key rc4-hmac/DD52
[12253] 1593637956.856012: Negotiated enctype based on authenticator: aes256-cts
[12253] 1593637956.856013: Authenticator contains subkey: rc4-hmac/A744
[12253] 1593637956.856014: Resolving unique ccache of type MEMORY
[12253] 1593637956.856015: Initializing MEMORY:t2RN587 with default princ user.name@company.com
[12253] 1593637956.856016: Storing user.name@company.com -> krbtgt/company.com@company.com in MEMORY:t2RN587
[12253] 1593637956.856018: Creating AP-REP, time 1593637956.6499, subkey aes256-cts/BEAC, seqnum 497277098
[12253] 1593637956.856029: Resolving unique ccache of type FILE
[12253] 1593637956.856030: Initializing FILE:/tmp/tktPDXsyq with default princ user.name@company.com
[12253] 1593637956.856033: Storing user.name@company.com -> krbtgt/company.com@company.com in FILE:/tmp/tktPDXsyq
[12253] 1593637956.856036: Destroying ccache MEMORY:t2RN587
[12253] 1593637956.856038: Destroying ccache FILE:/tmp/tktPDXsyq

 

0 Likes
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 07-01-2020 05:23 PM (1511 views)  |   In reply to nirolf

@nirolf ,

 

20200701-22:48:16 Authenticating user user.name via GSS

I do not see any domains in the user name here. Are you sure you can authenticate on the server using only the user name without specifying a domain?

0 Likes
nirolf
Calcite | Level 5 nirolf
Calcite | Level 5

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 07-01-2020 05:27 PM (1506 views)  |   In reply to alexal

Without the domain it doesn't work, but what should I do for that to work? The server is connected to AD using pam.

 

I noticed that the file tktPDXsyq doesn't exist.

 

Initializing FILE:/tmp/tktPDXsyq with default princ user.name@company.com
Storing user.name@company.com -> krbtgt/company.com@company.com in FILE:/tmp/tktPDXsyq

 If I connect to the Object Spawner I get a new file and that one I can see in /tmp.

0 Likes
nirolf
Calcite | Level 5 nirolf
Calcite | Level 5

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 09-14-2020 10:43 AM (1300 views)  |   In reply to alexal

Thanks, that was it, I just forgot to post an update. I edited sssd.conf by adding this line to [sssd] section:

default_domain_suffix = COMPANY.COM

 

 

0 Likes
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 09-14-2020 11:13 AM (1293 views)  |   In reply to nirolf
You're welcome. I'm glad the problem has been resolved.
0 Likes

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 6 replies
  • ‎07-01-2020 04:40 PM
  • 1553 views
  • 0 likes
  • 2 in conversation