BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
PriitL
Obsidian | Level 7

Hi!

 

Trying to set up an Integrated Windows Authentication. The environment has three linux servers: Mid-tier/Metadata, SASApp and SASApp_VA (9.4_M6).

I have set up AD (Win srv 2019) and PAM authentication (sssd, Kerberos) for AD users at Linux servers.

 

I have followed the instructions from https://platformadmin.com/blogs/paul/2015/02/sas-mid-tier-linux-iwa-fallback-config-notes/https://support.sas.com/resources/papers/proceedings16/SAS3443-2016.pdf pluss several other community posts and documents. The goal is to use IWA with VisualAnalytics with fallback. But as it is a but tricky, it would be logical to go step by step, it means at first SMC and EG, later web (plus ABM/CPM we have).

 

With regular login procedure everything works fine. Then, created keytab files for servers and added SPN for the User accounts meant for the IWA service, modified the level_env_usermods.sh files.

Logging in to SMC and EG with IWA looks promising. Even browsing Servers from EG and running simple commands (proc setinit;). SMC looks also fine but when trying to validate Server Manager -> SASApp (or SASApp_VA) -> SASApp - Logical Workspace Server if doesn't do anything. When clicking with right mouse button, the cursor goes to waiting circle and no menu appears. So it doesn't validate the Workspace Server. I have tried to debug Workspace Server, Object Spawner and Metadata (logconfig.trace.xml) but nothing special shows up.

 

When using profile with manually entered credentials, it asks for credentials for validation:

PriitL_0-1650460961391.png

 

So we have two issues.

1) Is it possible to set up a fallback for SMC when IWA is broken (this means, when I have logged in to SMC, it can validate Workspace Server with current non-IWA credentials) and

2) why it doesn't validate the Workspace Server when using IWA.

 

Concentrating to the 2nd issue, it looks like I haven't configured the Workspace Server correctly for IWA but I can't find anything I missed.

  • AD / PAM / krb (default_ccache_name = FILE:/tmp/krb5cc_%{uid}) / SPN - check
  • keytab files created - check
  • level_env_usermods.sh - check (after this step IWA for MSC and EG works)
  • Server Manager -> SASApp -> SASApp - Logical Workspace Server -> (properties) -> Options tab -> Authentication service (-> host) and Security package (-> Kerberos) has selected - check

PriitL_1-1650461973072.png

 

According to https://communities.sas.com/t5/SAS-Communities-Library/How-to-generate-a-Kerberos-ticket-when-you-lo... the Workspace Server should know the user's kerberos ticket file. So the 5th step is also done. Also %put KRB5CCNAME: %sysget(KRB5CCNAME); shows keytab file and looks good. Step 2 was default at my environment (PAM_SETCREDENTIALS=TRUE) but it also didn't change anything (is it necessary?).

 

What else? What I'm missing? I'd appreciate much any hint.

I'm afraid there's no point to move on with web IWA until validating the Workspace Server is works fine.

 

 

Thanks!

 

Priit L

1 ACCEPTED SOLUTION

Accepted Solutions
PriitL
Obsidian | Level 7

To update the topic, a few lines about the "solution".

I have had months of correspondence with the support. The conclusion is that the validation shouldn't work and there shouldn't be need to log in to MC with IWA at all. I personally think that logging to MC with IWA is just one of tests for the correct setup and regular usage is to log in with user/passwd credentials.

 

If it doesn't Validate, everything still should work fine (EG and other client side interfaces).

If there's really need to Validate, contact support again.

View solution in original post

4 REPLIES 4
gwootton
SAS Super FREQ
The documentation for IWA can be found here, from your comments I'm not sure you used this.

How to Configure Integrated Windows Authentication
https://go.documentation.sas.com/doc/en/bicdc/9.4/bisecag/n1d1zo1jsf2o0en1ehu4c4simfky.htm

and here for the middle tier:

Support for Integrated Windows Authentication
https://go.documentation.sas.com/doc/en/bicdc/9.4/bimtag/p1871e69gmwdr0n1o182krslc10p.htm

Based on your description it sounds like authentication to the Metadata server via IWA is functional, but not to the Object Spawner (which launches the workspace server).

Troubleshooting IWA is fairly in-depth, you may wish to engage technical support.
--
Greg Wootton | Principal Systems Technical Support Engineer
PriitL
Obsidian | Level 7

To update the topic, a few lines about the "solution".

I have had months of correspondence with the support. The conclusion is that the validation shouldn't work and there shouldn't be need to log in to MC with IWA at all. I personally think that logging to MC with IWA is just one of tests for the correct setup and regular usage is to log in with user/passwd credentials.

 

If it doesn't Validate, everything still should work fine (EG and other client side interfaces).

If there's really need to Validate, contact support again.

SASKiwi
PROC Star

@PriitL  - Your post answer surprises me. I've always connected to SMC using IWA and never had any problem doing Workspace Server validations or any other server validations. But as you say, doing validations isn't something you do a lot and there are other ways of checking the health of your SAS installation like checking that all SAS server services are running and there are no red traffic lights in Environment Manager.

PriitL
Obsidian | Level 7

I agree. If IWA mechanism is for MC, I'd expect full functionality (incl Validation). But that's what they said. ¯\_(ツ)_/¯
We did a Teams meeting and turned on debug log for Workspace Server but didn't see any lines about failed/success authentication when Validating while MC with IWA. Note that "browsing" SASApp and SASApp_VA server's folder tree was OK, so this means that the IWA worked with Metadata (logging in to EG) and also for Workspace server (browsing folders from EG).

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • 2608 views
  • 3 likes
  • 3 in conversation