BookmarkSubscribeRSS Feed

How to generate a Kerberos ticket when you log in to SAS Studio or SAS Enterprise Guide?

Started ‎09-10-2019 by
Modified ‎09-10-2019 by
Views 11,262

Question

Today I’m going to describe how to configure SAS to generate a Kerberos ticket when you log in to SAS Studio or SAS Enterprise Guide. Very often I see questions about that, also many people state that when they log in to the server directly and invoke Base SAS from a command line, they can utilize a Kerberos authentication, but not in SAS Studio or SAS Enterprise Guide. What is going on? How to fix it?

Answer

First of all, let’s talk about how authentication works in SAS. SAS has a few authentication methods:

 

  • Internal authentication mechanisms. The internal mechanisms are SAS internal authentication and SAS token authentication.
  • External authentication mechanisms. External mechanisms include direct LDAP authentication, host authentication (credential-based), Integrated Windows authentication, and web authentication.
  • Credential management provides single sign-on through reuse of cached credentials or retrieval of stored passwords.
  • Pluggable authentication modules (PAM) extend UNIX host authentication.

All of these authentication methods are described in SAS® 9.4 Intelligence Platform: Security Administration Guide, Third Edition -> Introduction to Auth.... We are going to focus only on Pluggable authentication modules (PAM), which extends UNIX host authentication.

 

By default, if you didn’t select PAM authentication during initial deployment, SAS will use host authentication, which means sasauth module will make authentication calls to the OS.

 

A Kerberos authentication in SAS can be utilized either through PAM and/or IWA/GSSAPI. In our case, we will be configuring only PAM.

 

1. I assume that you have already configured Kerberos authentication on your system, either through SSSD or something else. So the first step would be enabling PAM authentication in SAS. The process of enabling PAM in SAS is described in a SAS note below:

 

SAS Installation Note 49432: Configuring PAM on Linux to authenticate through SAS® against Active Di...

 

2. Next, make sure that this line is uncommented in /SASHome/SASFoundation/9.4/utilities/bin/sasauth.conf:

 

 

PAM_SETCREDENTIALS=TRUE

 

 

Without this setting, sasauth module won’t call pam_setcred, which is responsible for a Kerberos ticket creation.

 

3. Restart the object spawner

 

 

/SASConfig/Lev/ObjectSpawner/ObjectSpawner.sh restart

 

4. After that everytime the user authenticates is SAS, a Kerberos ticket should be created on the system. Please note that you have to use file-based tickets in your Kerberos configuration. SAS doesn’t support tickets from a keyring.

 

5. The last step will be the workspace server configuration, you have to let the workspace server know which ticket it has to use. You can do that through a custom script added to the WorkspaceServer_usermods.sh.

 

If you are using Linux:

 

 

workspace_user=$(whoami)
workspace_user_ccaches=$(find /tmp -maxdepth 1 -user ${workspace_user} -type f -name "krb5cc_*" -printf '%T@ %p\n' | sort -k 1nr | sed 's/^[^ ]* //' | head -n 1)

if test ! -z "$workspace_user_ccaches"; then
            echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."
            echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"
            export KRB5CCNAME=$workspace_user_ccaches
            echo "KRB5CCNAME has been set to ${KRB5CCNAME}."
else
            echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."
fi

 

Please note if you are using Centrify, file name pattern for a Kerberos ticket might not start with krb5cc. In some cases, and of course depends on your configuration a file name might start with tkt. If that applies to you, you have to adjust -name option in the script above.

 

If you are using AIX:

 

 

workspace_user=$(whoami)
workspace_user_ccaches=$(find /var/krb5/security/creds/* ! -name . -prune -type f -name "krb*" -user $(whoami) | sort -k 1nr | head -1)
if [ ! -z "${workspace_user_ccaches}" ]
  then  echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."
        case "${OS}" in
          AIX)  istat ${workspace_user_ccaches} | grep '^Last modified'
                ;;
          *)    echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"
                ;;
        esac
        export KRB5CCNAME=${workspace_user_ccaches}
        echo "KRB5CCNAME has been set to ${KRB5CCNAME}."
  else  echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."
fi

 

6. Relogin to SAS Studio or SAS Enterprise Guide and make sure that environment variable with name KRB5CCNAME has been set:

 

 

%put KRB5CCNAME: %sysget(KRB5CCNAME);

 

As I said above, you can also utilize Kerberos authentication through IWA/GSSAPI, but that will be a subject for another post.

 

Comments

This is great - I've seen the material of this article come up in multiple places when searching the web, we've followed the instructions here, we use Quest One Identity on RHEL6.1 and we're still unable to create krb5_* files in /tmp when logging into EG. I'm not sure if it has to do with the hand-off between pam-vas3 and pam-setcred. Note: the krb5_* files show up in /tmp when we ssh into the server directly.

 

Thoughts?

 

Thanks

Jay

@JayKyleFCC ,

 

I'm glad you found that article useful. I did configure SAS along with Quest multiple times, so let me open a track for you and schedule a call to verify your settings. I will send you a message today.

 

Alex

That would be great!..Thanks
Jay

@JayKyleFCC ,

 

I've sent you a message.

Thank you for this article.  I've never used SAS, I inherited a project, of course.

 

I  am able to create the krb5 token/ticket logging in through the web page console.  Put in the expected /tmp.

 

The WorkspaceServer_usermods.sh run successfully.

 

If I ssh into the server and run sqlplus /@aippdev  (the name in tnsnames.ora) I connect without issue.

 

My Issue is how to use the Kerberos token/ticket in the connection string within SAS Studio?  I get errors if the username and password are present or missing in the connection string.

 

Could you please show an example on how to connect to an Oracle database using Kerberos?  I can't find any documentation that shows the proper connection string to use.

 

Thanks for your help.

 

Mike

@msquared,

 

Are you sure the KRB5CCNAME environment variable was set? What is the current value of KRB5CCNAME?

%put KRB5CCNAME: %sysget(KRB5CCNAME);

If the KRB5CCNAME environment variable is set and contains a valid ticket, you should be able to connect to Oracle using the following libname statement:

libname ora oracle path=<Oracle-database-specification>;
Thank you again! Works perfectly.

Even 'connect to oracle(path="@aippdev");' works now.

It's also helpful to edit the correct WorkspaceServer_usermods.sh. I found
it in two places and of course I edited the wrong one.

Take care.

Mike

@msquared ,

 

I'm glad the problem has been resolved. Let me know if you have any other questions.

Version history
Last update:
‎09-10-2019 11:39 AM
Updated by:
Contributors

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags