cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
EmmanuelF
Calcite | Level 5 EmmanuelF
Calcite | Level 5
Go to Solution

SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 04-12-2019 11:59 AM (1572 views)

HI,

 

I face an issue trying to set IWA auth for users. IWA is functional for web application, but i'am unable to start workspace via SASStudio application or via EG.

 

My configuration :

 

-Middle tier, meta, compute on three separate Linux server (RH)

-Workspace server is bind to an LDAP directory via PAM.

-Kerberos binding to AD is functionnal  (other middle tier app starts well with IWA)

 

As you see below, the kerberos auth and delegation seems ok, but the workspace don't start.

 

I guess that I face a user mismatch between the AD and the Ldap (users are lowercase in the ldap  eg :"albert")

 

I wonder if there is a way to bind the username returned by the iwa auth with the ldap user as this one is used to launch the workspace.

 

Or maybe I'am going the wrong way ???

 

 

Here is the ObjectSpawer logs (user have been changed)

 

2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >metaserver< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >bifrmetadev.compagny.fr<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >metaport< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >8561<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >metarepository< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >Foundation<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT  -    >locale< (Client requirement)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >fr_FR<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >objectserver< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >objectserverparms< (Standard options)
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >protocol=bridge spawned spp=43996 cid=0 dnsmatch=bifrcompdev.agf.fr pb classfactory=440196D4-90F0-11D0-9F41-00A024BB830C server=OMSOBJ:SERVERCOMPONENT/A5MARO40.AY000009 cel=credentials recon<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -  Environment variables are:
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >METAUSER<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >ALBERT @!*(generatedpassworddomain)*!<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -    >METAPASS<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT -       >********<
2019-04-12T14:27:54,760 DEBUG [00000057] :ALBERT - Obtained krb5 ccache handle: 7fb898021630
2019-04-12T14:27:54,812 DEBUG [00000057] :ALBERT - Freed krb5 ccache handle: 7fb898021630
2019-04-12T14:27:54,813 ERROR [00000057] :ALBERT - Access denied.
2019-04-12T14:27:54,813 ERROR [00000057] :ALBERT - The launch of server SASApp - Workspace Server for user ALBERT failed.

 

Here is the sasauth-debug.logcat

 

20190412-14:40:25 Authenticating user ALBERT via GSS
20190412-14:40:25 Context username: ALBERT @GROUPE.COMPAGNY.FR
20190412-14:40:25 Context username length: 24
20190412-14:40:25 Server Name: SAS/bifrcompdev.compagny.fr@GROUPE.COMPAGNY.FR
20190412-14:40:25 Unknown user when getting user attributes.
20190412-14:40:25 User ALBERT did not authenticate. Reason: 'Unspecified reason.' (gss)
20190412-14:40:25 Request failed: 'User did not authenticate.'

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 04-15-2019 12:29 PM (1485 views)  |   In reply to EmmanuelF

@EmmanuelF ,

 

You need to configure case insensitive usernames in SSSD. Look for case_sensitive in sssd.conf or talk to your Linux Administrator. Commands like "getent passwd ALBERT" or "getent passwd albert" have to return the same output.

View solution in original post

7 REPLIES 7
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 04-12-2019 12:20 PM (1563 views)  |   In reply to EmmanuelF

@EmmanuelF ,

 

Are you sure that a command shown below returns something?

 

getent passwd ALBERT
0 Likes
EmmanuelF
Calcite | Level 5 EmmanuelF
Calcite | Level 5

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 04-12-2019 03:47 PM (1547 views)  |   In reply to alexal

Hello alexal,

 

getent passwd ALBERT return nothing

 

but

 

getent passwd albert return :

 

albert:*:24242:20000:albert:/net/home/albert:/usr/bin/ksh

0 Likes
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 04-12-2019 09:30 PM (1524 views)  |   In reply to EmmanuelF

@EmmanuelF ,

 

What are you using for the authentication on the system level? SSSD or something else?

0 Likes
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 04-15-2019 12:29 PM (1486 views)  |   In reply to EmmanuelF

@EmmanuelF ,

 

You need to configure case insensitive usernames in SSSD. Look for case_sensitive in sssd.conf or talk to your Linux Administrator. Commands like "getent passwd ALBERT" or "getent passwd albert" have to return the same output.

EmmanuelF
Calcite | Level 5 EmmanuelF
Calcite | Level 5

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 04-17-2019 03:52 AM (1454 views)  |   In reply to alexal

@alexal 

 

Hello.

Great ! That solved the issue.

Thank you very much for your help

0 Likes
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4 M5 - IWA - unable to start workspace for users authenticated via IWA

Posted 04-17-2019 08:08 AM (1439 views)  |   In reply to EmmanuelF

@EmmanuelF ,

 

You are welcome. I'm glad that the problem has been resolved.

0 Likes

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • ‎04-12-2019 11:59 AM
  • 1573 views
  • 1 like
  • 2 in conversation