12-17-2015 02:09 PM
I'm working with kerberos and SAS on UNIX servers.There are three servers for sas, metadata, compute, and middle tier.
One of the kerberos components is KDC that has two other components:
Authentication Server(AS) and Ticket-granting Server(TGS).
AS has connection to User/service database to verify users.
My questions are:
- If KDC and user/service database should be install on a separate physical server OR on the metadata server?Or what should be install on metadata server?
- Kerberos has many components,for which one of them should a separate server(machine) be installed and where?
I read a PDF file that was released by SAS, 2013, but couldn't find answers to my questions.
01-31-2016 06:01 PM
Kerberos has to be configured always wherever you want the IWA authentication. Which more generally is just the SAS Computer server, to enable users to authenticate against the AD when connecting with Enterprise Guide, interact with the FileSystem/shares or even with the Web.
You can do it on the Metadata server, but I think it is more secure to leave just the SAS Authentication.
Now, if besides IWA authentication, you want Single Sign On/SPNEGO on the web applications, then you need to configure Web Authentication, then IWA/Kerberos on the web.
I am not sure if I could answer, at least partially, your question. Please let me know.