With the Stable release of SAS Viya 2023.03, some further incremental improvements have been made in how Kerberos Authentication can be configured with SAS Viya. In this post I want to explain both what the changes are and what the implications are. I won’t be delving into a great deal of detail on how to configure Kerberos Authentication; for this type of information, you should refer to the official documentation and my previous posts.
Around one year ago I wrote about the different scenarios for configuring Kerberos authentication. In that post I described the following Kerberos modes:
The mode Kerberos Hybrid Authentication with Protocol Transition is where you want to use a non-Kerberos authentication method with SAS Logon Manager but want to use Kerberos authentication from SAS Viya to your data sources. Specifically, you want to leverage Kerberos Constrained Delegation so that the SAS Viya environment obtains Kerberos credentials for each end-user as themselves. For example, you might use Azure Active Directory OpenID Connect (OIDC) to authenticate to SAS Logon Manager, which would allow you to enable Single Sign-On to data sources within Azure. In addition, you also need to access on-premises resources that are secured with Kerberos, so you enable Kerberos Hybrid Authentication with Protocol Transition.
With Kerberos Hybrid Authentication with Protocol Transition the SAS Kerberos Proxy Sidecar will use Kerberos Constrained Delegation to obtain the Kerberos credentials for the end-user and make those available to SAS Cloud Analytic Services or SAS Compute Server. The improvement in the SAS Viya 2023.03 Stable release is in the processing that the SAS Kerberos Proxy Sidecar completes to request these credentials. The SAS Kerberos Proxy Sidecar is aware of the method of authentication used to authenticate the end-users to SAS Logon Manager. If Kerberos authentication is used with SAS Logon Manager, so we are in a straight-forward Kerberos Delegation mode, the SAS Kerberos Proxy Sidecar is provided with the end-users User Principal Name (UPN) by SAS Logon Manager. As such, the SAS Kerberos Proxy Sidecar then obtains a delegated credential with this UPN. If LDAP authentication is used with SAS Logon Manager, so one case of Kerberos Hybrid Authentication with Protocol Transition, the SAS Kerberos Proxy Sidecar constructs the expected UPN from the end-users LDAP Distinguished Name provided by SAS Logon Manager. If any other authentication protocol is used with SAS Logon Manager, and we have configured Kerberos Hybrid Authentication with Protocol Transition, the SAS Kerberos Proxy Sidecar leverages the username in SAS Viya as the UPN to obtain Kerberos delegated credentials. This part is the minor update with the SAS Viya 2023.03 Stable release.
So, if we return to our example of using Azure AD OIDC to authenticate to SAS Logon Manager with Kerberos Hybrid Authentication with Protocol Transition configured for SAS Viya. The ability for the SAS Kerberos Proxy Sidecar to correctly obtain the delegated Kerberos credentials for the end-users will be dependent on the username value used in your SAS Viya environment. The value you configure for the username in SAS Viya will be dependent on your configuration of the Identities microservice. You might be pulling the identity information from an LDAP server, or you could be pushing the information to Identities from a SCIM client such as Azure Active Directory or OKTA. If you are using Azure Active Directory with OIDC and SCIM with your SAS Viya environment, you can control the value used for the username in SAS Viya. I have written previously on this topic as regards OIDC Custom Attributes and SCIM Custom Attributes. You need to ensure the value used for the username in SAS Viya will be valid for obtaining the delegated credentials.
In addition to the value used for the username, you have some controls you can leverage in the Kerberos configuration (krb5.conf) file provided to the SAS Kerberos Proxy Sidecar. If the username has no Kerberos Realm, i.e. it is just `username` rather than `username@REALM.COM`, then specifying the default_realm in the [libdefaults] section of the krb5.conf will cause the Kerberos Realm to be appended.
The next change with the SAS Viya 2023.03 Stable release related to Direct Kerberos connections to SAS Cloud Analytic Services. For some time now, it has been necessary to configure Direct Kerberos connections to CAS even if it was not required. This was required by the implementation of Kerberos Ticket renewal that required the SAS Cloud Analytic Services controller itself to initialize a Kerberos credential using the Service Principal as SAS Cloud Analytic Services started-up. With the SAS Viya 2023.03 Stable release this is no-longer required; the CAS sessions running internally as the CAS service account will still leverage the SAS Kerberos Proxy Sidecar to obtain a Kerberos credential using the Kerberos keytab provided to the sidecar. As such if it is not required by the scenario you are configuring, you do not need to configure Direct Kerberos connections to SAS Cloud Analytic Services. For example, if you will only ever be connecting to SAS Cloud Analytic Services from within the SAS Viya environment you will not need to configure Direct Kerberos connections to CAS. If in the future, you do need to enable Direct Kerberos connection to CAS you can update your configuration to enable this.
This means that you do not need to have the site-config/kerberos/cas-server directory and you do not need to have reference to this in the resources block of your kustomization.yaml. Also you do not need to add - sas-bases/overlays/kerberos/sas-servers/cas-kerberos-direct.yaml to the transformers block of the kustomization.yaml. The site-config/kerberos/sas-servers directory and associated entries in your kustomization.yaml will still be required to configure the SAS Kerberos Proxy Sidecar.
The two minor updates in the SAS Viya 2023.03 Stable release should make the configuration of Kerberos authentication with SAS Viya more flexible. The changes to Kerberos Hybrid Authentication with Protocol Transition allow for better support of different scenarios. Then removal of the requirement to configure Direct Kerberos connections to SAS Cloud Analytic Services will simplify the configuration for a number of setups.
Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.
If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.