BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
Lenvdb
Quartz | Level 8

Hi All

 

We have a Clustered Metadata server (3 x Win 2012 R2 VMs) and 2 Compute servers which are Load Balanced.

We want to switch from user login to sso using IWA/Kerberos.

 

In doing so we discovered that one of our Compute Servers are missing SPNs.

 

Question: We can manually create the required SPNs, but which SAS Service account is best used for the SPN?

SASINST, SASSRV or SASADM?

 

And then does it have to be the same service account used for ALL the SPNs on each server. The installers cannot remember how the original SPNs were set up during the initial installation.

 

1 ACCEPTED SOLUTION

Accepted Solutions
alexal
SAS Employee

@Lenvdb,

The Security System has received an authentication request that could not be decoded. The request has failed.

I suggest contacting Microsoft Technical Support about this problem.

View solution in original post

8 REPLIES 8
alexal
SAS Employee

@Lenvdb,

 

How to Configure Integrated Windows Authentication

 

...

If the metadata server is clustered and runs on Windows, or if your SAS servers are configured using DNS aliases, manually register SPNs. See Manual Registration.

...

 

Manually Registering Object Spawner SPNs

 

When using a service level account to run the object spawner service in a SAS Grid environment, you need to configure the default SPNs:

 

setspn –A SAS/computerNetbios –u domain\ObjectSpawnerServiceAccount
setspn –A SAS/computerFullname –u domain\ObjectSpawnerServiceAccount

In non-grid environments, you can configure custom SPNs, such as the following:

 

setspn –A SASWS/computerNetbios –u domain\ObjectSpawnerServiceAccount
setspn –A SASWS/computerShortname –u domain\ObjectSpawnerServiceAccount
Lenvdb
Quartz | Level 8
@alexal

Thank you for this. Yes - I saw these instructions. My problem is I am new to this organisation and I was not there when it was installed on the original server, so I have no idea what the correct service account to use would be: SASINST? SASSRV? What I am really asking is if someone here has done this before, which account is recommended? I will most likely need to go and delete/recreate the SPNs previously set up, and document this so they know what I did to install IWA. We do not use Grid. Yet our 1st Compute node was set up as SAS/SASServ1 and not SASWS/SASServ1.

Thank you for your reply.
Much appreciated.
alexal
SAS Employee

@Lenvdb,

 

The object spawner is up and running now? Who started it? Most likely SASINST will be the service account. SASSRV is the account that is used for SAS Token Authentication.

Lenvdb
Quartz | Level 8

@alexal

 

Thanks again for your reply...

 

I would assume that it is the SASINST account, as it is used for about everything else.

I had a look at the Object Spawners and they seem to run under a Local System Account

image.png

Lenvdb
Quartz | Level 8

We have now set up some SPN's on the Compute node which had these missing.

 

We have a number of users complaining about not getting access to our SAS Metadata using IWA.

 

We have 3 Metadata Nodes in our cluster:

VM1

VM2 (Master)

VM3

 

On Node VM1 we regularly get these errors in the Log:

2017-10-26T08:33:00,805 INFO [09550903] :sasinst@xxxxxxxxxxxxxx - Client connection 26275365 for user sasevs@saspw closed.
2017-10-26T08:33:01,805 INFO [09550910] :sasinst@xxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
2017-10-26T08:33:01,805 WARN [09550910] :sasinst@xxxxxxxxx - New client connection (26274325) rejected from server port 8561 for unknown IWA user. Peer IP address and port are [::ffff:10.200.4.96]:63063 for APPNAME=SAS Enterprise Guide.
2017-10-26T08:33:01,805 INFO [09550910] :sasinst@xxxxxxxxxx - Client connection 26274325 closed.
2017-10-26T08:33:01,805 INFO [09418531] :sasinst@xxxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
2017-10-26T08:33:01,805 WARN [09418531] :sasinst@xxxxxxxx - New client connection (26273718) rejected from server port 8561 for unknown IWA user. Peer IP address and port are [::ffff:10.200.4.96]:63062 for APPNAME=SAS Enterprise Guide.
2017-10-26T08:33:01,805 INFO [09418531] :sasinst@xxxxxxxxxxxxx - Client connection 26273718 closed.

 

These errors do not appear on VM2 or VM3.

 

What could be the cause for this?

How do we fix it?

 

 

I also saw this error in our Event Log on VM1:

 

Activation context generation failed for "c:\program files\SASHome\sasdeploymentmanager\9.4\products\cfgwizard__94260__prt__xx__sp0__1\utilities\w64\sasshortcutmgr.exe". Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="ia64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762" could not be found. Please use sxstrace.exe for detailed diagnosis.

alexal
SAS Employee

@Lenvdb,

 

You have to pay attention to this message in your log:

2017-10-26T08:33:01,805 INFO [09418531] :sasinst@xxxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
What could be the cause for this?

Most likely there was a problem with TCP communication, for an example with DNS server. Are you sure you have no messages such this in the event viewer?

 

A socket operation was attempted to an unreachable host.

Lenvdb
Quartz | Level 8

@alexal

 

Hi Alex

Sorry if I was unclear - this WAS the log entry in the event viewer in Windows.

But it only happens on VM1 using IWA, not on VM2 or VM3.

 

The System Event Viewer shows :

The Security System has received an authentication request that could not be decoded. The request has failed.

 

 

At the same time a Log was recorded in SAS Metadata:

 

2017-10-26T11:37:00,385 INFO [09785175] 26273237:sasinst@xxxxxxxxxxxxxL - Client connection 26273237 for user XSSEXEC@xxxxxxxxxxxxxxxxx closed.
2017-10-26T11:37:06,621 INFO [09785027] :sasinst@xxxxxxxxxxxxxxxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
2017-10-26T11:37:06,621 WARN [09785027] :sasinst@xxxxxxxxxxxxxxxxxxxxx - New client connection (26276397) rejected from server port 8561 for unknown IWA user. Peer IP address and port are [::ffff:10.200.2.22]:61955 for APPNAME=SAS Enterprise Guide.
2017-10-26T11:37:06,621 INFO [09785027] :sasinst@xxxxxxxxxxxx - Client connection 26276397 closed.

 

alexal
SAS Employee

@Lenvdb,

The Security System has received an authentication request that could not be decoded. The request has failed.

I suggest contacting Microsoft Technical Support about this problem.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 8 replies
  • 1948 views
  • 2 likes
  • 2 in conversation