01-17-2018 01:10 PM
i'm pretty new in sas 9.4 administration and need a hint for user configuration.
The user authentication should work via Active Directory. I changed the settings in sasv9_usermods.cfg
as described in the documentation (SAS 9.4 Intelligence Platform: Security Administration Guide, Third Edition).
After that I added a user with the SAS Management Console.
If I now use the new configured user for the SAS Studio Logon the Logon-Page accepts the AD password
but presents a further logon dialog for the SASApp server.
How do I have to change the user configuration that the AD User will be accepted by SASApp?
Many thanks for your help.
01-17-2018 06:07 PM
Whilst it is possible to configure the SAS Metadata Server to authenticate users directly against AD/LDAP, it is not the most common approach. Normally the metadata server is left in its default configuration which passes authentication requests to the host operating system which then authenticates them against its own authentication provider (often AD, so that the metadata server is indirectly authenticating against AD). The approach you have taken, in configuring for direct AD/LDAP authentication, is normally only done when the metadata server needs to authenticate against a different server than the host operating system (e.g. a dedicated LDAP instance of external users where AD might be for internal users).
For the SASApp server, and the encompassed workspace server, it is the SAS Object Spawner that handles authentication to start a workspace server for the users on request (most commonly). The object spawner does host authentication and cannot be configured for direct AD/LDAP like the SAS metadata server can (because it may have to launch processes on the server as the requesting user). This is probably why you are seeing those prompts. In the most common scenarios, where both the SAS Metadata Server and Object Spawner are both doing host authentication (usually back by the same AD environment), the credentials used to authenticate to the metadata server are cached by the client and offered to the object spawner and, assuming no mis-configuration, the user gains access to a workspace server without being prompted for additional credentials.
If the direct AD/LDAP configuration for the metadata server is deliberate and correct, then you have the option of re-configuring the workspace server to support SAS Token Authentication. With token authentication the metadata server is used as a trusted authority and a service account is used to launch workspace server instances (given the user either has no account of their own on the workspace server machine, or no credentials are available for host authentication). Be aware there are some potential downsides to SAS Token Authentication (which are covered in the docs).
All of this is covered in the SAS documentation, but as a large flexible enterprise platform there is a lot of it, and it can take a while to read it all or find the bits you need. As a new SAS Administrator, I would thoroughly recommend you take the SAS Platform Administration Fast Track course, as it teaches these concepts. I would also recommend reading through the SAS Administration documentation.
01-18-2018 07:42 AM