cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
Rveerepalli
Fluorite | Level 6 Rveerepalli
Fluorite | Level 6

SAS windows Kerberos

Posted 04-03-2020 09:45 AM (2093 views)

Hi All,

 

I am using SAS on windows (9.4 M6)  and connecting to Hadoop.  My windows PC is on a different domain compared to Hadoop. I generated Kerberos ticket and it works for ODBC connection to Hadoop and also works on Java applications. My KRB5CCNAME environment variable resolves properly on SAS. However, when I run libname statement in SAS, it is trying to connect to use my windows realm ticket (rather than using ticket for Hadoop realm). Is there any change that I am missing to do in configuration?    

0 Likes
Reply
7 REPLIES 7
AnandVyas
Ammonite | Level 13 AnandVyas
Ammonite | Level 13

Re: SAS windows Kerberos

Posted 04-03-2020 10:09 AM (2082 views)  |   In reply to Rveerepalli
Where is krb5.conf file located in your environment?
When you SAS Session is spawned using any client, how does it generate the krb ticket?
0 Likes
Reply
Rveerepalli
Fluorite | Level 6 Rveerepalli
Fluorite | Level 6

Re: SAS windows Kerberos

Posted 04-03-2020 10:21 AM (2075 views)  |   In reply to AnandVyas

Added the below two Java security settings to the SAS config file
-Djava.security.krb5.conf=C:\Hadoop\Kerberos\krb5.ini
-Djavax.security.auth.useSubjectCredsOnly=false

Also ticket is pre-generated at login by MIT Kerberos application
0 Likes
Reply
AnandVyas
Ammonite | Level 13 AnandVyas
Ammonite | Level 13

Re: SAS windows Kerberos

Posted 04-03-2020 11:30 AM (2043 views)  |   In reply to Rveerepalli
Can you run klist on the ticket generated and resolved for the KRB5CCNAME ENV variable to see if it's of the Hadoop realm or windows?
And when you say you have generated ticket and was able to make ODBC connection to Hadoop, that is using tools outside of SAS?
0 Likes
Reply
PrathmeshX
Fluorite | Level 6 PrathmeshX
Fluorite | Level 6

Re: SAS windows Kerberos

Posted 04-15-2025 06:50 AM (669 views)  |   In reply to Rveerepalli

 

Hello Rveerepalli,

 

so from your post I'm assuming you had completed the SSO implementation.

I'm new to SAS Administration and have recently completed a SAS 9.4 M6 installation on our internal Demo Server(Windows).

I've now been assigned the task of implementing Single Sign-On (SSO) using Integrated Windows Authentication (IWA) with Kerberos, following the guidance provided in the SAS documentation:

Support for Integrated Windows Authentication
https://documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1871e69gmwdr0n1o182krslc10p.htm

I've obtained the keytab file from our IT team. However, when testing the keytab using the kinit command to generate a Kerberos ticket, I encountered issues.

Here’s the command I ran:

 
CopyEdit
kinit -V -k -t D:/keytab/12apr/saskeytab_WD.keytab -J-Djava.security.krb5.conf=E:\SASConfig\Lev1\Web\WebAppServer\SASServer1_1\conf\krb5.ini HTTP/otsisasnode.ex.com@EX.COM

 

 

I get the error - 

Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

 

Something related to the ticket encryption used is  causing the problem.

Can you please give some pointers to resolve the issue so that atleast I can generate the ticket using the keytab for test run before moving to further steps.

 

Content of file (krb5.ini):
[libdefaults]
default_realm = EX.COM
forwardable = true
default_tkt_enctypes = aes256-cts
default_tgs_enctypes = aes256-cts
permitted_enctypes = aes256-cts


[realms]
EX.COM = {
kdc = dc16.ex.com
}

[domain_realm]
ex.com = EX.COM
.ex.com = EX.COM

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: SAS windows Kerberos

Posted 04-21-2025 02:36 PM (561 views)  |   In reply to PrathmeshX
Remove the -V option from your kinit command, that option is not valid on Windows.
--
Greg Wootton | Principal Systems Technical Support Engineer
Reply
mkiran
Quartz | Level 8 mkiran
Quartz | Level 8

Re: SAS windows Kerberos

Posted 04-21-2025 02:53 PM (551 views)  |   In reply to PrathmeshX

It could be related to the active directory too. Its worth to check below...

 

What account did you use to create the HTTP SPN? (verify your SPN creation command something like this "setspn -s HTTP/<servername> <DOMAIN>\<username>")

look for the username in AD and enable aes256 encryption under the account/options tab.

Reply
PrathmeshX
Fluorite | Level 6 PrathmeshX
Fluorite | Level 6

Re: SAS windows Kerberos

Posted 3 weeks ago (312 views)  |   In reply to mkiran

Thanks for the Suggestion,

The actual problem lied in the encryption option of the user in the AD server,

Enabled the encryption to aes256 and aes128 which is commonly used in the ticket generation using the keytab file.

After this changes, I was able to generate the ticket with the new keytab file from the AD Admin.

0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • ‎04-03-2020 09:45 AM
  • 2094 views
  • 2 likes
  • 5 in conversation