Hello,
I am working on setting up the SSO/IWA for SAS web clients like studio and need some guidance. I have already worked on setting up the IWA for SAS desktop clients successfully. So I am assuming the steps are going to similar. Have couple questions.
1) Can I have 2 different keytab files - one for desktop and one for web clients? Or should I alter the keytab of the desktop clients to add the web one?
2) I did set up a separate one and as per the SAS documentation , here is the command to verify the keytab file and it doesn't work for me:-(
kinit -k -t keytab-filename-and-path.keytab user-principal-name -J-Djava.security.krb5.conf= path-to-Kerberos-file.conf
And I am getting the error.
kinit: invalid option -- 'J'
kinit: invalid option -- '-'
kinit: invalid option -- 'D'
kinit: invalid option -- 'j'
kinit: invalid option -- '.'
Bad start time value ecurity.krb5.conf=/etc/krb5.conf
keytab specified, forcing -k
Extra arguments (starting with "src_sasprodkrb@Healthcore.local").
Usage: kinit [-V] [-l lifetime] [-s start_time]
[-r renewable_life] [-f | -F | --forwardable | --noforwardable]
[-p | -P | --proxiable | --noproxiable]
-n [-a | -A | --addresses | --noaddresses]
[--request-pac | --no-request-pac]
[-C | --canonicalize]
[-E | --enterprise]
[-v] [-R] [-k [-i|-t keytab_file]] [-c cachename]
[-S service_name] [-T ticket_armor_cache]
[-X <attribute>[=<value>]] [principal]
options:
-V verbose
-l lifetime
-s start time
-r renewable lifetime
-f forwardable
-F not forwardable
-p proxiable
-P not proxiable
-n anonymous
-a include addresses
-A do not include addresses
-v validate
-R renew
-C canonicalize
-E client is enterprise principal name
-k use keytab
-i use default client keytab (with -k)
-t filename of keytab to use
-c Kerberos 5 cache name
-S service
-T armor credential cache
-X <attribute>[=<value>]
How do I validate if the generated keytab file is working fine and generating a ticket?
Thanks for all the help!!
@RupaJ ,
Can I have 2 different keytab files - one for desktop and one for web clients?
Yes.
kinit -k -t keytab-filename-and-path.keytab user-principal-name -J-Djava.security.krb5.conf= path-to-Kerberos-file.conf
That is an incorrect command. Here is an example:
kinit -kt /path/to/keytab/file.keytab SAS/my.server.com@MYREALM.COM
@alexal - Thanks for the response. So "SAS/my.server.com@MYREALM" is the prinicipal name in the keytab right?
kinit -kt /path/to/keytab/file.keytab SAS/my.server.com@MYREALM.COM
The one I created looks like "HTTP/meta.abc.local@ABC.LOCAL". It says "kinit: Client 'HTTP/meta.abc.local@ABC.LOCAL' not found in Kerberos database while getting initial credentials"
@RupaJ ,
SAS/ SPN is intended to use for IWA/GSSAPI authentication with applications such as SAS Enterprise Guide, SAS Management Console. HTTP/ SPN is intended to use for IWA/GSSAPI authentication of web clients. I'm not sure what you have in keytab file, but you can list all SPNs using a command shown below:
klist -kt /path/to/keytab/file.keytab
Hi @alexal - I did set up the keytab file with HTTP/SPN for the web clients. Here are the contents of the keytab file as is.
Keytab name: FILE:SASWeb.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 11/12/2019 10:44:17 HTTP/sastestmd.core.local@CORE.LOCAL (arcfour-hmac)
1 11/12/2019 10:44:17 HTTP/sastestmd@CORE.LOCAL (arcfour-hmac)
And the errors that I am getting while trying to authenticate...
kinit -kt SASWeb.keytab HTTP/sastestmd.core.local@CORE.LOCAL
kinit: Preauthentication failed while getting initial credentials
kinit -kt SASWeb.keytab HTTP/sastestmd@CORE.LOCAL
kinit: Client 'HTTP/sastestmd@CORE.LOCAL' not found in Kerberos database while getting initial credentials
Thanks
@RupaJ ,
kinit: Preauthentication failed while getting initial credentials
Have you had a chance to speak with your Linux/Active Directory administrators about an error shown above?
@alexal - Have a question before that. My AD admin has the same question. So how does the keytab file know which account it needs to look for, because I only provide the password of the account to generate the keytab file.
Here is how I generated the keytab file btw.
[an118000ad@sastestmd ~]$ ktutil
ktutil: addent -password -p HTTP/sastestmd.core.local -k 1 -e arcfour-hmac
Password for HTTP/sastestmd.core.local@CORE.LOCAL:
ktutil: addent -password -p HTTP/sastestmd -k 1 -e arcfour-hmac
Password for HTTP/sastestmd@CORE.LOCAL:
ktutil: wkt /home/an118000ad/SASWeb.keytab
ktutil: read_kt /home/an118000ad/SASWeb.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 HTTP/sastestmd.core.local@CORE.LOCAL
2 1 HTTP/sastestmd@CORE.LOCAL
3 1 HTTP/sastestmd.core.local@CORE.LOCAL
4 1 HTTP/sastestmd@CORE.LOCAL
ktutil: quit
Now the SPN is definitely created with that account.
setspn -L src_sastestkrb
Registered ServicePrincipalNames for CN=src_sastestkrb,OU=Service_Accounts,DC=core,DC=local:
HTTP/sastestmd.core.local
HTTP/sastestmd
@RupaJ ,
So how does the keytab file know which account it needs to look for
I'm not sure I understood your question, but usually, SPNs are associated with the specific objects in AD, such as users.
The SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment.
SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.
Find more tutorials on the SAS Users YouTube channel.