10-20-2017 11:58 AM
Wondering if anyone might know the answer to this question. We're setting up a new SAS server, we have a service account with "Login as batch job" permission setup for the connection to SASApp. Under User Manager I have multiple users and groups setup for access. My problem is, while the service account can be used to connect to SAS App and the user accounts can be used to make the initial connection to the server, the users don't want to have to enter in the credentials of the service account each time they open up SASApp. Other than using the SASApp account for both the initial connection, I can't think of any other way to cache those credentials (if that's even possible). Additionally, is there any way users who can connect to the server can use SASApp without having that "Logon as batch job" permission? We have a multitude of users who will be using this server (along with many who will be added on down the road), so the availability to request such a change through our security department is unlikely.
10-20-2017 02:56 PM
10-20-2017 01:22 PM
If I understand your question correctly...you are referring to the connection to SASApp when starting a Workspace server e.g. running code in Enterprise Guide.
You could add the service account's credentials under the Accounts tab for the SASUSERS group with an Authentication domain of DefaultAuth, assuming your SASApp - Workspace Server is also DefaultAuth. When a user opens the SASApp Workspace server, SAS will retrieve the credentials for the service account and forward to the Workspace server. This way, your users won't be prompted for any credentials unless the service account is not able to start a workspace server instance for whatever reason e.g. expired password
10-20-2017 02:09 PM
Hey nhvdwalt, that's correct, I'm attempting to the connection to SASApp when starting a workplace server. I followed your recommendation and added that service account onto the accounts section in SASUSERS, but I'm afraid its still prompting for credentials. Is there any restriction if even though I'm using defaultauth as the authentication domain (which matches the service account), I'm using the login as mydomain\serviceaccountID? (mydomain being my work domain that is).
10-20-2017 02:15 PM
10-20-2017 02:49 PM
1) Yes, entering the service account credentials allows the connection to succeed.
Security Package: Username / password
3) Here are the results from the object spawner log: (modified for confidentiality)
Service Account login (successful)
New client connection ($$$$) accepted from server port $$$$ for user Serviceaccount@DOMAIN
Encryption level is Credentials using encryption algorithm SASProprietary. Peer IP address and port are $$$$$$ for APPNAME=SAS Enterprise Guide.
2017-10-20T13:39:39,321 INFO  :serviceaccount@Domain - Created process 25388 using credentials serviceaccount@domain (child id 5).
2017-10-20T13:39:39,325 INFO  YSTEM@SERVERID - New out call client connection ($$$$) for launched server (child 5). Peer IP address and port are $$$$$$$.
2017-10-20T13:39:39,328 INFO  YSTEM@SERVERID - Launched process 25388 (child id 5) is now running as process 828.
User DOMAIN\$$$$ probably does not have the right to log on as a batch job.
Error authenticating user DOMAIN\$$$$ in function LogonUser. Error 1385 (Logon failure: the user has not been granted the requested logon type at this computer. ).
New client connection (3270) rejected from server port $$$$ for user DOMAIN\$$$$. Peer IP address and port are $$$$$ for APPNAME=SAS Enterprise Guide.
10-20-2017 02:56 PM
10-20-2017 03:15 PM
Sorry if this seems like a simple question, my experience with SAS is limited to say the least. I know how to change the authentication on the service account, but I'm not sure how you change the workspace's server authentication? I see you can choose to enable security and whether to use username/password or negotiate, but don't see anywhere where I can choose the authentication.
10-20-2017 03:25 PM
10-20-2017 04:18 PM
10-21-2017 06:24 PM
Of course, another way to always use a service identity to launch workspace servers is to switch the SAS Workspace Server over to SAS Token Authentication. The credentials used to spawn these servers then only need to be accessible to the SAS Trusted User identity (usually by adding them to the SAS General Servers group). For more info see the SAS Token Authentication and How to Configure SAS Token Authentication sections in the SAS® 9.4 Intelligence Platform: Security Administration Guide.
I would also suggest looking into the underlying problem/requirement that is sending you down this path of configuring a single service identity to launch the servers (and losing the option for using file system access controls based on the requesting user). It is completely understandable that users would not like being asked for credentials each time they connect to SASApp. When I have seen this outcome in the past it has sometimes been a sign of a non-optimal configuration, examples including non-aligned authentication domains for the cached credentials for the initial metadata connection and subsequent compute server connections, or Integrated Windows Authentication connections to the SAS metadata server without configuring IWA support for the workspace server. Of course sometimes, with things like mixed-authentication providers, SAS Token Authentication may become a more optimal configuration. @cjsummers - it would be interesting to know the background behind the requirement to use a single service identity for your SAS Workspace Servers. Having a better understanding of the environment and constraints can lead to more tailored advice and options.
10-24-2017 01:01 PM
Good afternoon Paul, thanks for the reply, I will definitely look into that and see if using another method would be possible. The biggest hang-up seems to be the group policy that controls the "Log on as a batch job" permission the users need to open SASApp. Otherwise, I would have put in a request to have the 30-40 users added for that permission (but for my company they need an elevated account to do so and at that point it becomes messy). But considering the restrictions on using a single point of entry, file access control limitations aren't going to work either, so I think we will have to pursue getting users that access (we have 5-6 groups that can't use each other's libraries / files).
10-25-2017 12:15 AM
It seems that if you use IWA then you don't need the "Log on as a Batch Job" privilege. See the Windows Privileges section of the SAS® 9.4 Intelligence Platform: Security Administration Guide.
... (users who authenticate by Integrated Windows authentication or SAS token authentication do not need this privilege)
... plus you get the benefit of single-sign-on and workspace server instances running as the requesting user so file system access controls become more relevant (to use in conjunction with metadata access controls).
However, you will most likely find you need to get your domain admins to make the compute tier machines "Trusted for Delegation" - at least that is a few machines compared to many users.
IWA can be a little tricky to configure but it's very nice when it's all running ok.
Need further help from the community? Please ask a new question.