cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
Lenvdb
Quartz | Level 8 Lenvdb
Quartz | Level 8
Go to Solution

SAS 9.4M2 BI Platform with IWA/Kerberos

Posted 10-19-2017 08:04 AM (2556 views)

Hi All

 

We have a Clustered Metadata server (3 x Win 2012 R2 VMs) and 2 Compute servers which are Load Balanced.

We want to switch from user login to sso using IWA/Kerberos.

 

In doing so we discovered that one of our Compute Servers are missing SPNs.

 

Question: We can manually create the required SPNs, but which SAS Service account is best used for the SPN?

SASINST, SASSRV or SASADM?

 

And then does it have to be the same service account used for ALL the SPNs on each server. The installers cannot remember how the original SPNs were set up during the initial installation.

 

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Posted 10-26-2017 08:03 AM (2686 views)  |   In reply to Lenvdb

@Lenvdb,

The Security System has received an authentication request that could not be decoded. The request has failed.

I suggest contacting Microsoft Technical Support about this problem.

View solution in original post

0 Likes
8 REPLIES 8
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Posted 10-19-2017 08:35 AM (2544 views)  |   In reply to Lenvdb

@Lenvdb,

 

How to Configure Integrated Windows Authentication

 

...

If the metadata server is clustered and runs on Windows, or if your SAS servers are configured using DNS aliases, manually register SPNs. See Manual Registration.

...

 

Manually Registering Object Spawner SPNs

 

When using a service level account to run the object spawner service in a SAS Grid environment, you need to configure the default SPNs:

 

setspn –A SAS/computerNetbios –u domain\ObjectSpawnerServiceAccount
setspn –A SAS/computerFullname –u domain\ObjectSpawnerServiceAccount

In non-grid environments, you can configure custom SPNs, such as the following:

 

setspn –A SASWS/computerNetbios –u domain\ObjectSpawnerServiceAccount
setspn –A SASWS/computerShortname –u domain\ObjectSpawnerServiceAccount
Lenvdb
Quartz | Level 8 Lenvdb
Quartz | Level 8

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Posted 10-19-2017 08:44 AM (2537 views)  |   In reply to alexal
@alexal

Thank you for this. Yes - I saw these instructions. My problem is I am new to this organisation and I was not there when it was installed on the original server, so I have no idea what the correct service account to use would be: SASINST? SASSRV? What I am really asking is if someone here has done this before, which account is recommended? I will most likely need to go and delete/recreate the SPNs previously set up, and document this so they know what I did to install IWA. We do not use Grid. Yet our 1st Compute node was set up as SAS/SASServ1 and not SASWS/SASServ1.

Thank you for your reply.
Much appreciated.
0 Likes
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Posted 10-19-2017 09:01 AM (2530 views)  |   In reply to Lenvdb

@Lenvdb,

 

The object spawner is up and running now? Who started it? Most likely SASINST will be the service account. SASSRV is the account that is used for SAS Token Authentication.

Lenvdb
Quartz | Level 8 Lenvdb
Quartz | Level 8

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Posted 10-19-2017 09:08 AM (2525 views)  |   In reply to alexal

@alexal

 

Thanks again for your reply...

 

I would assume that it is the SASINST account, as it is used for about everything else.

I had a look at the Object Spawners and they seem to run under a Local System Account

image.png

0 Likes
Lenvdb
Quartz | Level 8 Lenvdb
Quartz | Level 8

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Posted 10-26-2017 04:04 AM (2471 views)  |   In reply to Lenvdb

We have now set up some SPN's on the Compute node which had these missing.

 

We have a number of users complaining about not getting access to our SAS Metadata using IWA.

 

We have 3 Metadata Nodes in our cluster:

VM1

VM2 (Master)

VM3

 

On Node VM1 we regularly get these errors in the Log:

2017-10-26T08:33:00,805 INFO [09550903] :sasinst@xxxxxxxxxxxxxx - Client connection 26275365 for user sasevs@saspw closed.
2017-10-26T08:33:01,805 INFO [09550910] :sasinst@xxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
2017-10-26T08:33:01,805 WARN [09550910] :sasinst@xxxxxxxxx - New client connection (26274325) rejected from server port 8561 for unknown IWA user. Peer IP address and port are [::ffff:10.200.4.96]:63063 for APPNAME=SAS Enterprise Guide.
2017-10-26T08:33:01,805 INFO [09550910] :sasinst@xxxxxxxxxx - Client connection 26274325 closed.
2017-10-26T08:33:01,805 INFO [09418531] :sasinst@xxxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
2017-10-26T08:33:01,805 WARN [09418531] :sasinst@xxxxxxxx - New client connection (26273718) rejected from server port 8561 for unknown IWA user. Peer IP address and port are [::ffff:10.200.4.96]:63062 for APPNAME=SAS Enterprise Guide.
2017-10-26T08:33:01,805 INFO [09418531] :sasinst@xxxxxxxxxxxxx - Client connection 26273718 closed.

 

These errors do not appear on VM2 or VM3.

 

What could be the cause for this?

How do we fix it?

 

 

I also saw this error in our Event Log on VM1:

 

Activation context generation failed for "c:\program files\SASHome\sasdeploymentmanager\9.4\products\cfgwizard__94260__prt__xx__sp0__1\utilities\w64\sasshortcutmgr.exe". Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="ia64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762" could not be found. Please use sxstrace.exe for detailed diagnosis.

0 Likes
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Posted 10-26-2017 07:14 AM (2455 views)  |   In reply to Lenvdb

@Lenvdb,

 

You have to pay attention to this message in your log:

2017-10-26T08:33:01,805 INFO [09418531] :sasinst@xxxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
What could be the cause for this?

Most likely there was a problem with TCP communication, for an example with DNS server. Are you sure you have no messages such this in the event viewer?

 

A socket operation was attempted to an unreachable host.

0 Likes
Lenvdb
Quartz | Level 8 Lenvdb
Quartz | Level 8

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Posted 10-26-2017 07:26 AM (2449 views)  |   In reply to alexal

@alexal

 

Hi Alex

Sorry if I was unclear - this WAS the log entry in the event viewer in Windows.

But it only happens on VM1 using IWA, not on VM2 or VM3.

 

The System Event Viewer shows :

The Security System has received an authentication request that could not be decoded. The request has failed.

 

 

At the same time a Log was recorded in SAS Metadata:

 

2017-10-26T11:37:00,385 INFO [09785175] 26273237:sasinst@xxxxxxxxxxxxxL - Client connection 26273237 for user XSSEXEC@xxxxxxxxxxxxxxxxx closed.
2017-10-26T11:37:06,621 INFO [09785027] :sasinst@xxxxxxxxxxxxxxxxxxxxx - Unexpected error in function AcceptSecurityContext. Error -2146893048 (The token supplied to the function is invalid ).
2017-10-26T11:37:06,621 WARN [09785027] :sasinst@xxxxxxxxxxxxxxxxxxxxx - New client connection (26276397) rejected from server port 8561 for unknown IWA user. Peer IP address and port are [::ffff:10.200.2.22]:61955 for APPNAME=SAS Enterprise Guide.
2017-10-26T11:37:06,621 INFO [09785027] :sasinst@xxxxxxxxxxxx - Client connection 26276397 closed.

 

0 Likes
alexal
SAS Employee alexal
SAS Employee

Re: SAS 9.4M2 BI Platform with IWA/Kerberos

Posted 10-26-2017 08:03 AM (2688 views)  |   In reply to Lenvdb

@Lenvdb,

The Security System has received an authentication request that could not be decoded. The request has failed.

I suggest contacting Microsoft Technical Support about this problem.

0 Likes

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 8 replies
  • ‎10-19-2017 08:04 AM
  • 2558 views
  • 2 likes
  • 2 in conversation