We all know that SAS Viya supports the Kerberos authentication protocol with SAS Logon Manager, SAS Cloud Analytic Services and SAS/CONNECT Spawner. In this post I want to explore in more detail SAS/CONNECT Spawner with Kerberos authentication. We’ll examine the different ways Kerberos can be used with SAS/CONNECT and what needs to be configured.
Kerberos with SAS/CONNECT
Let’s begin by examining the different ways that Kerberos can be used with SAS/CONNECT Spawner. We can use Kerberos in the following ways:
- Kerberos delegation from SAS Logon Manager.
With this our end user authenticates to SAS Logon Manager with Kerberos and either constrained or unconstrained delegation is configured. The connection to the SAS/CONNECT Spawner is authenticated with the internal SAS Viya token. This is a connection from within the SAS Viya environment, perhaps from SAS Studio. Then the SAS Kerberos Proxy sidecar obtains the Kerberos credentials for the SASCONNECT Server session. The SAS Kerberos Proxy sidecar either fetches the unconstrained delegated credentials from SAS Logon Manager or uses constrained delegation to obtain credentials from the Kerberos Key Distribution Center (KDC).
- Hybrid Kerberos Authentication with username and password.
Here our end user authenticates to SAS Logon Manager with any authentication protocol except Kerberos. The connection to the SAS/CONNECT Spawner is from within the SAS Viya environment and authenticates with the SAS Viya internal token. The SAS Kerberos Proxy sidecar is configured to generate the Kerberos credentials using a username and password stored in an authentication domain. The SAS Kerberos Proxy sidecar retrieves the username and password from the credentials microservice and initializes the Kerberos credentials for the SAS/CONNECT Server session.
- Hybrid Kerberos Authentication with Protocol Transition.
Similarly to the previous option, the end user authenticates to SAS Logon Manager with any authentication protocol other than Kerberos. The internal connection to the SAS/CONNECT Spawner authenticates with the internal SAS Viya token. The SAS Kerberos Proxy sidecar is configured to obtain credentials using Protocol Transition. The SAS Kerberos Proxy sidecar communicates directly with the KDC and initializes the Kerberos credentials for the SAS/CONNECT Server session.
- External direct Kerberos authentication.
In this case the end user connects from outside the SAS Viya environment directly to the SAS/CONNECT Spawner. The connection uses Kerberos authentication. The SAS/CONNECT Spawner accepts the Kerberos service ticket sent by the SAS/CONNECT client. Validating the Kerberos service ticket authenticates the end user to the SAS/CONNECT Spawner. The principal must be configured for delegation, either constrained or unconstrained delegation. The SAS/CONNECT Spawner makes a Kerberos connection to SAS Logon Manager as the end user to obtain the internal SAS Viya token. The delegated credentials and internal SAS Viya token are made available to the SAS/CONNECT Server session.
- External direct username and password authentication with Kerberos configured.
Again, the end user connects from outside the SAS Viya environment directly to the SAS/CONNECT Spawner. The connection provides a username and password to the SAS/CONNECT Spawner. The SAS/CONNECT Spawner initializes a Kerberos credential using the username and password. Once a Kerberos credential has been initialized Kerberos is used to authenticate to SAS Logon Manager to obtain the internal SAS Viya token. The Kerberos credentials and the internal SAS Viya token are made available to the SAS/CONNECT Server session.
- External direct with SAS Viya token with Kerberos configured.
Finally, another case where the end user connects from outside the SAS Viya environment directly to the SAS/CONNECT Spawner. This connection provides an existing valid internal SAS Viya token, which has been obtained by separately authenticating with SAS Logon Manager. The internal SAS Viya token is validated by the SAS/CONNECT Spawner and the SAS/CONNECT Server session is launched. If either of the Hybrid Kerberos Authentication options are configured the SAS Kerberos Proxy sidecar will also obtain Kerberos credentials for the SAS/CONNECT Server session.
What needs to be configured
In this post we won’t be diving too deep into the configuration details. Here we just want to clarify what parts of the SAS Viya environment need to be configured for Kerberos authentication.
- Kerberos delegation from SAS Logon Manager.
With Kerberos delegation, either constrained or unconstrained, we need to have both SAS Logon Manager and SAS/CONNECT Spawner configured for Kerberos. This will also configure the SAS Launcher and SAS Cloud Analytic Services as well. In this scenario we don’t have direct connections to either SAS/CONNECT or SAS Cloud Analytic Services.
This means we will expect to have the kerberos/http and kerberos/sas-servers directories under our site-config directory. We will just have the HTTP/ service principal. In the configmaps.yaml under kerberos/sas-servers we do not need to uncomment the SAS/CONNECT stanza.
| Kerberos directory |
Required SPN
|
Delegation
|
| kerberos/http |
HTTP |
Constrained or Unconstrained |
| kerberos/sas-servers |
HTTP |
Constrained or Unconstrained |
- Hybrid Kerberos Authentication with username and password.
Using Hybrid Kerberos Authentication means that we only need to have the SAS servers configured for Kerberos authentication. We do not need to configure SAS Logon Manager for Kerberos authentication.
This means we expect to have only the kerberos/sas-servers directory under our site-config directory. We will need to have a Kerberos Service Principal and its associated keytab. However, this does not need to be the HTTP/ service principal, it could be for a different service class. The Service Principal will be used during the bootstrapping of the SAS Kerberos Proxy sidecar.
In the configmaps.yaml under kerberos/sas-servers we do not need to uncomment the SAS/CONNECT stanza.
| Kerberos directory |
Required SPN
|
Delegation
|
| kerberos/sas-servers |
HTTP |
Constrained or Unconstrained |
- Hybrid Kerberos Authentication with Protocol Transition.
Using Hybrid Kerberos Authentication means that we only need to have the SAS servers configured for Kerberos authentication. We do not need to configure SAS Logon Manager for Kerberos authentication.
This means we expect to have only the kerberos/sas-servers directory under our site-config directory. We will need to have a Kerberos Service Principal and its associated keytab. However, this does not need to be the HTTP/ service principal, it could be for a different service class. The Service Principal must be correctly configured to allow the use of Protocol Transition.
In the configmaps.yaml under kerberos/sas-servers we do not need to uncomment the SAS/CONNECT stanza.
| Kerberos directory |
Required SPN
|
Delegation
|
| kerberos/sas-servers |
HTTP |
Constrained |
- External direct Kerberos authentication.
To support external clients to authenticate with Kerberos we must configure more than just the SAS/CONNECT Spawner for Kerberos authentication. We configure both SAS Logon Manager and the SAS servers for Kerberos authentication.
This means we will expect to have the kerberos/http and kerberos/sas-servers directories under our site-config directory. We will have both the HTTP/ service principal and SAS/ service principal. The SAS/ service principal is used by SAS/CONNECT Spawner for direct Kerberos connections. The HTTP/ service principal is used by the other services. We must be able to use Kerberos delegation from the SAS/ principal to the HTTP/ principal.
We can have either a single Kerberos keytab containing the long-terms keys for both the HTTP/ and SAS/ principals or two separate keytab files. If we have a single keytab the long-terms keys for the SAS/ principal must appear first.
More care must be taken with the settings in the files under kerberos/sas-servers. The configmaps.yaml file must have the SAS/CONNECT stanza uncommented. In the literals for the sas-connect-spawner-kerberos-config set the KRB5_KTNAME to the SAS/ principals keytab, set SAS_SERVICE_PRINCIPAL to the SAS/ service principal name, and set SAS_KRB5_PROXY_SPN to the HTTP/ service principal name. In the secrets.yaml file under sas-servers-kerberos-secrets set the Kerberos configuration file and HTTP/ principal keytab. Then under sas-servers-kerberos-secrets set the SAS/ principal keytab.
Also, for direct connections to the SAS/CONNECT Spawner an additional line will be required in the kustomization.yaml for the SAS/CONNECT Spawner Kerberos transformer.
| Kerberos directory |
Required
SPN
|
Delegation to Viya
services
|
Delegation
Outbound
|
| kerberos/sas-servers |
HTTP |
|
Other services |
kerberos/sas-servers
SAS/CONNECT stanza enabled |
SAS |
HTTP |
Other services |
- External direct username and password authentication with Kerberos configured.
There is no additional configuration required to support external SAS/CONNECT clients using a username and password for authentication when the SAS/CONNECT Spawner is configured for external Kerberos authentication. We do need to have completed all the steps listed above for External direct Kerberos authentication.
| Kerberos directory |
Required
SPN
|
Delegation to Viya
services
|
Delegation
Outbound
|
| kerberos/sas-servers |
HTTP |
|
Other services |
kerberos/sas-servers
SAS/CONNECT stanza enabled |
SAS |
HTTP |
Other services |
- External direct with SAS Viya token with Kerberos configured.
There is no additional configuration required to support external SAS/CONNECT clients using an internal SAS Viya token for authentication when the SAS/CONNECT Spawner is configured for external Kerberos authentication. We do need to have completed all the steps listed above for External direct Kerberos authentication.
| Kerberos directory |
Required
SPN
|
Delegation to Viya
services
|
Delegation
Outbound
|
| kerberos/sas-servers |
HTTP |
|
Other services |
kerberos/sas-servers
SAS/CONNECT stanza enabled |
SAS |
HTTP |
Other services |
More Complex Scenarios
Now let’s consider some more complex scenarios. First, what if we have configured our SAS Viya environment for Kerberos delegation and then we decide we need to support Direct Kerberos authentication to SAS/CONNECT Spawner. In this case we need to add the configuration specific to the SAS/CONNECT Spawner we detailed in the section above to the files under kerberos/sas-servers in our site-config directory. We also need to configure the SAS/ service principal and provide the long-term keys in a Kerberos keytab.
Alternatively, what if we have configured our SAS Viya environment for Hybrid Kerberos Authentication with Protocol Transition and then want to add direct Kerberos authentication for the SAS/CONNECT spawner. Here, we need to first understand what service principal we have used for the Hybrid configuration. For the new combined scenario, we will require the HTTP/ service principal and the SAS/ service principal. If we already used one of these for the Hybrid configuration, we should just need to add the other. However, if we used a completely different service class, we would need to add both service principals.
Then for the configuration of the combined scenario we need to add the Kerberos configuration for both the SAS Logon Manager and the SAS/CONNECT Spawner. That means we need to have our kerberos/http directory, and its files configured under our site-config directory. Also, we need to add the SAS/CONNECT specific parts to the files under the kerberos/sas-servers in our site-config directory.
Conclusion
I hope that this has helped clarify the configuration of Kerberos Authentication with SAS/CONNECT Spawner. It might seem daunting initially, but when you break it down into the types of connections you want to be able to support, I think it makes it clearer the parts you need to configure.
If you want to explore these concepts in more detail you can review the materials and hands-on environments available through the SAS Viya Advanced Topics in authentication workshops. There are workshops for the Core Topics, Kerberos, OpenID Connect and SAML, and details on Authentication Protocols.
Find more articles from SAS Global Enablement and Learning here.
