BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
MaxReis86
Calcite | Level 5

Hi dear All,

I am using SAS Enterprise Guide version: 4.1 on SAS System version: 9.1.3 and Windows 2003 Server Version: 5.2.0.3790 Service pack: Service Pack 2 and I would like to avoid "Credentials Required" popup screen every time I open SAS EG.

When I log into the client as one of the users and open Enterprise Guide, I select a profile that connects to the metadata server using Integrated Windows Authentication. This connects me to the server ok, but when I expand one of the metadata servers, I receive the SAS: SASApp "Credentials Required" popup screen.


I have tried to include the line SASSEC_LOCAL_PW_SAVE="Y" to the file omaconfig.xml, but didn't work.


The users are using Integrated Windows Authentication.


I would appreciate any help!

Many Thanks!!

1 ACCEPTED SOLUTION

Accepted Solutions
MaxReis86
Calcite | Level 5

Thank You SASKiwi, Jaap and Unkie@SAS!!

I have finally fixed the problem with your help.

I verified that in the User Manager (Management Console), in "Logins" option of the user properties there was no domain\userid defined to each user.

I have defined the domain\userid without password and tried to open SAS EG again. The popup screen with Credential was required once, but second time onwards no more Popup Screen.

Now it seem to be a so basic problem, but i was almost given up.

Many Thanks Guys!!!

View solution in original post

5 REPLIES 5
SASKiwi
PROC Star

In SAS Management Console in the Server Manager Plugin - select SASApp - expand - select SASApp Logical Workspace Server - right click - select properties - check Host Security Options.

If set to Username/Password try changing it to Negotiate. I am basing this on 9.3 so I'm not sure if this is possible in 9.1.3.

jakarman
Barite | Level 11

It helps to understand what is happening instead of reacting on some symptoms.

Using Eguide with a workspace server (SAS) has the following steps:

1/ Eguide is trying to setup a connection to the metadataserver

By this the metadata-server will an identification / authentication phase commonly based on user-password. Host authentication is using the features that already are present on the OS level.

As different host-types are probably in use (Unix/Windows) IWA is an attempt to coordinate those environments. In more professional IT managed areas this is out of the  "ïnfluence area" of sas although it is an interest area.

With Web-based (web browsers) you can try to integrate the WEB security to the  SAS security and than IWA. You are probably missing a lot of things with that. The shellshock is a good example.

When the connection to the metadataserver is successful a valid session is setup.

At this moment the Password for the metadata-server connection may be saved in the EG-profile dataset in your Windows environment.

That is the one you could control with SASSEC_LOCAL_PW_SAVE="Y". I believe it has been implemented with 9.2. As it is saved in the Windows environment in a file security reviewers have found that and classified it it as unacceptable risk that should be repaired.

When:

- it would be there in an encoded way (just preventing accidental reading) and

- the argumentation would be that the Windows environment is supposed to be well secured so no additional risk is introduced. and

- this is documented in a security letter by SAS.  

It would be a non issue. SAS Carry / architects failed on this (my opinion).

The next step is starting a Workspaceserver (a Stored process is different). What than is going on is that the object-spawner will start an OS task as a session.

That one can used the same key/user and password as the one for the metadataserver but it does not need to be that way. It can use any other key/user. The sasauth module is running at root-level (localserver) to switch to a new user-context and needing a key and password for that. It is the same level as runas/sudo usage. It will ask and get that information somewhere, if failing presenting a pop-up.  It is not using the information from the metadataserver connection.

After you made once a connection the key and password is saved in the SAS-metadata. I have seen some things in  the login table there.

It is encoded there, not yet been found by security reviewers. That encoding is breakable not trustworthy. The only questions they are asking is where in the SMC the password is saved (sigh).

When:

- the argumentation would be that the OS environment for the metadata is supposed to be well secured so no additional risk is introduced. and

- Technical Support staff have other ways to access the possible sensitive data in sas-datasets. Auditing and monitoring on that should be in place (SIEM)

- the login table of the sas .metadatatable is possible as sensitive as the password-shadowfile of the OS.  Remember all those databreaches bashing companies leaking this.

- this is documented in a security letter by SAS.  

It would be a non issue. SAS Carry / architects failed on this (my opinion).

Now your issue.

When the EG project gets run and the OS password for the workspaceserver gets out of sync. It will present you a pop-up screen.

After that you can work. But in this stage the storing/updating of the login in the metadatatable login dataset is failing (not possible?). It will present you the pop-up over and over again.

When you open the appserver with Eguide as first action. It is able to do that update storing the new password in the metadatatable reusing that the next times.

My advice as good habit. Always verify regular you can open the appserver not running the code/project immediately.         

---->-- ja karman --<-----
Unkie_SAS
SAS Employee

Have a read of SAS(R) 9.2 Intelligence Platform: Security Administration Guide to check whether you have IWA correctly configured.

I saw that you are running 9.1.3, but documentation for IWA for that version is less easy to come by. Personally, I would be looking at upgrading any - both Windows 2003 and SAS 9.1.3 were released over 10 years ago.

The omaconfig option only relates to saving of credentials for inbound connections (connections to the metadata server) - so doesn't apply to your situation, as you are not entering credentials for the metadata server host but relying on a windows token.

Next, the host on which your SASApp workspace server is running on should be in the same authdomain as the metadata server (defaultauth). Then do the checks suggested by SASKiwi.

If you are still being prompted, check your Object Spawner log file for some clues.

Jaap highlights some interesting points for a generalised world but much is not relevant to you - configuring trusted web authentication doesn't help with Enterprise Guide and the sasauth module doesn't exist on windows.

What you are attempting is a good practice, as it removes any dependency on passwords stored within metadata (and any perceived vulnerability this might bring), instead you using Windows' ability to pass kerberos tokens around between machines.

jakarman
Barite | Level 11

Well Unkei@sas The things you are  classifying as interesting are real life experiences. With 9.1.3 in a bigger organization (that case more busy on the Unix like ones.

I know the sasauth module does not exist in the same way there under Windows but the same logic for use-context switching does. Also real life experience converting a Windows server environment. Indeed the Kerberos approach is better but as the access to directory service (and more) is political difficult one you end quickly up in more problems. This will arise certainly when the SAS installation is department oriented (not enterprise) with the intention avoiding the common business IT department involvement.

The users are getting/needing a dedicated setting within the AD domain: SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition     
The object spawner windows details: SAS(R) 9.4 Intelligence Platform: Application Server Administration Guide - SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition

- SAS(R) 9.4 Intelligence Platform: Installation and Configuration Guide the for Unix common indicated sassrv account can be the local system account at windows. When that is not allowed and needing a dedicated account it is needing that "trusted for delegation"

For Kerberos getting functional working there is need for Windows policy changes: SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition

These are settings for 9.4 and those requirements are requiring cooperation with the maintainers of the often closed desktop managed by other service providers.
At least there is a dedicated JPRE with 9.4. JAVA has become seen as a possible security failure often to be changed/updated.

With 9.1.3 it was by default the same java version as in use by the webbrowser. With that connection causing a lot of unnecessary political trouble.         

The issues mentioned as political in a big professional environment are real life experiences. 

---->-- ja karman --<-----
MaxReis86
Calcite | Level 5

Thank You SASKiwi, Jaap and Unkie@SAS!!

I have finally fixed the problem with your help.

I verified that in the User Manager (Management Console), in "Logins" option of the user properties there was no domain\userid defined to each user.

I have defined the domain\userid without password and tried to open SAS EG again. The popup screen with Credential was required once, but second time onwards no more Popup Screen.

Now it seem to be a so basic problem, but i was almost given up.

Many Thanks Guys!!!

sas-innovate-2024.png

Today is the last day to save with the early bird rate! Register today for just $695 - $100 off the standard rate.

 

Plus, pre-conference courses and tutorials are filling up fast and are always a sellout. Register today to reserve your seat.

 

Register now!

How to Concatenate Values

Learn how use the CAT functions in SAS to join values from multiple variables into a single value.

Find more tutorials on the SAS Users YouTube channel.

Click image to register for webinarClick image to register for webinar

Classroom Training Available!

Select SAS Training centers are offering in-person courses. View upcoming courses for:

View all other training opportunities.

Discussion stats
  • 5 replies
  • 17249 views
  • 8 likes
  • 4 in conversation