Following on from looking at the overview of Kerberos delegation introduced with the 2020.1.4 release of SAS Viya, this time we will examine the process flow of authentication. In this case we will examine Kerberos Constrained Delegation, last time we examined Kerberos Unconstrained Delegation. In this article we will look at three different use-cases: launching a SAS Compute Server through SAS Studio, launching a CAS session from SAS Visual Analytics, and directly connecting to SAS Cloud Analytic Services from SAS 9.4 Maintenance 5 or higher.
Kerberos Constrained Delegation: SAS Compute Server
In this use-case an end-user logs into SAS Studio.

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
The steps are as follows:
- End-user accesses SAS Studio for the first time and is redirected to SAS Logon Manager.
- The browser follows the redirect to SAS Logon Manager. As the end-user has no current session with SAS Logon Manager it responds with a 401 HTTP response code.
- The 401 HTTP response code triggers the browser to attempt Kerberos authentication and a request is submitted to the KDC for the service ticket. This request leverages the existing Ticket-Granting Ticket held on the client. Since the HTTP Service Principal is configured for constrained delegation only the Service Ticket (containing the proxy credential) is returned.
- The browser submits the Service Ticket as a response to the 401 HTTP response code to SAS Logon Manager.
- SAS Logon Manager uses the long-term key for the HTTP Service Principal, obtained from the Kerberos keytab, to decrypt the Service Ticket and extract the authenticator information. This includes the end-user’s UPN and authenticates the end-user to SAS Logon Manager.
- SAS Logon Manager strips the realm from the UPN and submits the username to the Identities microservice to obtain the group information.
- The Identities microservice queries the group information from the LDAP provider.
- The Identities microservice responds to SAS Logon Manager with the group information.
- SAS Logon Manager redirects the end-user back to the calling web application, SAS Studio, with an authorization code.
- The browser follows the redirection and submits the authorization code to SAS Studio.
- SAS Studio exchanges the authorization code for an ACCESS Token from SAS Logon Manager, which includes the end-users group information. SAS Studio authenticates with its client credentials to SAS Logon Manager for the exchange.
- SAS Studio uses the end-user’s ACCESS Token to request a SAS Compute Server session from the Launcher microservice.
- The Launcher microservice uses the end-user’s ACCESS Token to request the user attributes (UID, GID, and secondary GID) from the Identities microservice.
- The Launcher microservice includes the end-user’s ACCESS Token and user attributes in the request to Kubernetes to launch the SAS Compute Server pod.
- The SAS Compute Server pod includes the sas-krb5-proxy sidecar container. The SAS Compute Server makes a HTTP request to the sas-krb5-proxy sidecar on localhost ( which uses the end-user’s ACCESS Token. The sas-krb5-proxy sidecar then makes a S4U2SELF request to the KDC to obtain a Service Ticket for the sas-krb5-proxy Service Principal Name (SPN) as the end-user. As part of the S4U2SELF request the sas-krb5-proxy may initialize a TGT for the HTTP principal using the long-term key for the principal from the Kerberos keytab.
- Since the HTTP principal is configured for TrustedToAuthForDelegation the KDC responds with the Service Ticket and delegated credentials. The sas-krb5-proxy uses the long-term key for the principal from the Kerberos keytab to decrypt the response, obtaining the delegated credentials. The sas-krb5-proxy streams the delegated credentials back to the SAS Compute Server container within the same pod. The SAS Compute Server container writes the delegated credentials out to a Kerberos ticket cache in /tmp with a default name format.
Kerberos Constrained Delegation: SAS Cloud Analytic Services
In this use-case an end-user accesses SAS Visual Analytics which launches a SAS Cloud Analytic Services session.

The steps are as follows:
- End-user accesses SAS Visual Analytics for the first time and is redirected to SAS Logon Manager.
- The browser follows the redirect to SAS Logon Manager. As the end-user has no current session with SAS Logon Manager it responds with a 401 HTTP response code.
- The 401 HTTP response code triggers the browser to attempt Kerberos authentication and a request is submitted to the KDC for the service ticket. This request leverages the existing Ticket-Granting Ticket held on the client. Since the HTTP Service Principal is configured for constrained delegation only the Service Ticket (containing the proxy credential) is returned.
- The browser submits the Service Ticket as a response to the 401 HTTP response code to SAS Logon Manager.
- SAS Logon Manager uses the long-term key for the HTTP Service Principal, obtained from the Kerberos keytab, to decrypt the Service Ticket and extract the authenticator information. This includes the end-user’s UPN and authenticates the end-user to SAS Logon Manager.
- SAS Logon Manager strips the realm from the UPN and submits the username to the Identities microservice to obtain the group information.
- The Identities microservice queries the group information from the LDAP provider.
- The Identities microservice responds to SAS Logon Manager with the group information.
- SAS Logon Manager redirects the end-user back to the calling web application, SAS Visual Analytics, with an authorization code.
- The browser follows the redirection and submits the authorization code to SAS Visual Analytics.
- SAS Visual Analytics exchanges the authorization code for an ACCESS Token from SAS Logon Manager, which includes the end-users group information. SAS Visual Analytics authenticates with its client credentials to SAS Logon Manager for the exchange.
- SAS Visual Analytics uses the end-user’s ACCESS Token to request a SAS Cloud Analytic Services session from the CAS Controller.
- The CAS Controller uses the end-user’s ACCESS Token to request the user attributes (UID, GID, and secondary GID) from the Identities microservice.
- The SAS Cloud Analytic Services pod includes the sas-krb5-proxy sidecar container. CAS makes a HTTP request to the sas-krb5-proxy sidecar on localhost ( which uses the end-user’s ACCESS Token. The sas-krb5-proxy sidecar then makes a S4U2SELF request to the KDC to obtain a Service Ticket for the sas-krb5-proxy Service Principal Name (SPN) as the end-user. As part of the S4U2SELF request the sas-krb5-proxy may initialize a TGT for the HTTP principal using the long-term key for the principal from the Kerberos keytab.
- Since the HTTP principal is configured for TrustedToAuthForDelegation the KDC responds with the Service Ticket and delegated credentials. The sas-krb5-proxy uses the long-term key for the principal from the Kerberos keytab to decrypt the response, obtaining the delegated credentials. The sas-krb5-proxy streams the delegated credentials back to the CAS container within the same pod. The CAS container writes the delegated credentials out to a Kerberos ticket cache in /tmp with a default name format.
Kerberos Constrained Delegation: SAS Cloud Analytic Services – Direct Connection
In this use-case the end-user in SAS 9.4 Maintenance 5 or higher has authenticated through SAS 9.4 using Kerberos constrained delegation and then connection to SAS Cloud Analytic Services.

The steps are as follows:
- CAS Client (SAS 9.4 M5 and higher, or third-party programming language) makes a direct connection to SAS Cloud Analytic Services. Since the CAS Client is not provided with a valid username/password, an authinfo file, or existing ACCESS Token the CAS Client initializes a Kerberos connection to CAS. The initialization of the Kerberos connection requires a Service Ticket.
- CAS Client triggers OS request for a Service Ticket for CAS from the KDC leveraging the existing Ticket-Granting Ticket (TGT) of the end-user. Since the HTTP Service Principal is configured for constrained delegation only the Service Ticket (containing the proxy credential) is returned.
- The CAS Client submits the Service Ticket as part of the Kerberos authentication request to CAS.
- CAS uses the long-term key of the service principal, provided in the Kerberos keytab to decrypt the service ticket. This authenticates the end-user to CAS using Kerberos. The proxy credential contained in the Service Ticket and the Service Ticket itself are written to a temporary Kerberos ticket cache.
- CAS uses Kerberos to authenticate to SAS Logon Manager. Since the temporary Kerberos ticket cache contains the Service Ticket for the HTTP principal no communication with the KDC is necessary.
- SAS Logon Manager uses the long-term key for the HTTP Service Principal, obtained from the Kerberos keytab, to decrypt the Service Ticket and extract the authenticator information. This includes the end-user’s UPN and authenticates the end-user to SAS Logon Manager.
- SAS Logon Manager strips the realm from the UPN and submits the username to the Identities microservice to obtain the group information.
- The Identities microservice queries the group information from the LDAP provider.
- The Identities microservice responds to SAS Logon Manager with the group information.
- SAS Logon Manager responds to CAS with the ACCESS Token for the end-user.
- CAS uses the ACCESS Token for the end-user to request the user attributes (UID, GID, and secondary GIDs) from the Identities microservice. CAS uses the user attributes to write out the Kerberos ticket cache using the default name format and launches the CAS session for the end-user.
In the first two use-cases we can see the important role of the SAS Kerberos Proxy sidecar container. This is responsible for making the Kerberos credentials available to either the SAS Compute Server session or the SAS Cloud Analytic Services session. Unlike previous releases Kerberos is not used to authenticate the end-user to the SAS Compute Server or to SAS Cloud Analytic Services. Instead the Viya ACCESS Token generated by authenticating to SAS Logon Manager is used. We can see that this will greatly simplify the prerequisites the customer will need to setup in advance since we will only have a single Kerberos principal to be concerned with.
The direct connection to SAS Cloud Analytic Services behaves more like previous releases. But we must set the CASSPN option in the client code to HTTP@{{Viya4SPNHost}} to specify the different SPN for connecting to CAS. For example, this can be set with the following:
options set=CASSPN='HTTP@{{Viya4SPNHost}}';
Then the processing that CAS carries out is no different for constrained or unconstrained delegation. So even if the SAS 9.4 Maintenance 5 or higher client is not configured for constrained delegation the connection will be successful. It is just that CAS will have access to the end-users delegated TGT. The processing will be then the same as what we examined last time for Kerberos Unconstrained Delegation.