BookmarkSubscribeRSS Feed
sas_9
Obsidian | Level 7

Hi All,

some users cannot accesss windows share through SAS server and i am trying to use kerberos to address the problem. I have configured intigrated windows authentication, have in place

security package=negotiate

security package list= Kerberos,NTML

I am follwoing below link but its not giving me clear picture what are the steps to user kerberos - if some can guide please.

http://support.sas.com/documentation/cdl/en/bisecag/61133/HTML/default/viewer.htm#a003310603.htm

Thanks!

5 REPLIES 5
ChrisHemedinger
Community Manager

I don't have specific answers, but I do recommend that you check this series of excellent blogs by :

Kerberos - platformadmin.com

Chris

Learn from the Experts! Check out the huge catalog of free sessions in the Ask the Expert webinar series.
PaulHomes
Rhodochrosite | Level 12

(Thanks for the mention Chris)

Assuming the clients have already been configured for IWA, I'd start by checking the metadata server and object spawner logs using a candidate workstation and user to verify that IWA with Kerberos is being used for the connection.  There is more info on verifying this in the blog post: SAS & IWA: Check the Logs

If the connections are not IWA+Kerberos I'd check the client connection profile to ensure IWA is selected, and also double check the server configs (and metadata) to ensure IWA is enabled and only Kerberos is offered. Whilst the client connection profile can be configured for specific protocols and SPNs it's easier from a deployment perspective to configure everything at the server end so only basic config is required on the client (i.e. just ticking the IWA checkbox). There's info and links to SAS doco in this post: SAS and IWA: Two Hops

If the client and server configs are all ok and IWA+Kerberos is still not being used, I'd check the SPNs. If the logical names used to connect to the servers are different from the physical hostnames then you will need to add additional SPNs (done in AD by a domain admin).  Logical and physical hostname differences occur when DNS aliases are used, often for portability or disaster recovery options. There is more info in these blog posts: SAS & IWA: Host Name Aliases and SPNs and SAS & IWA: Reviewing SPNs

Once you have IWA+Kerberos connections to the metadata server and workspace server(s), to get further IWA access to secondary/additional servers (e.g. UNC paths and/or access to SQL Server) from the workspace server(s) you need to get a domain admin to mark the workspace server(s) as trusted for delegation in AD.  There's info about how non-admins can verify that status in this blog post: SAS & IWA: Verifying Trusted for Delegation Status

Hope this helps.

Cheers

Paul

sas_9
Obsidian | Level 7

Thanks Paul and Chris for your feedback. this info. will definitely help...

sas_9
Obsidian | Level 7

@ Paul -

i checked out metadata server log and obj. spaw. log as it mentioned in notes that you have provided, it looks gd.

but, i am am not able to find which one is machine account in Active Directory? how can i reach out there to make sure radio button for “Trust this computer for delegation to any service (Kerberos only)“ is marked or not.

thanks...

PaulHomes
Rhodochrosite | Level 12

It's the computer account in AD for the workspace server machine. If you have a clustered logical workspace server it will need to be done for each of the associated machines. Have a chat to your domain admin as they will have the necessary tools and permissions to do this. Normal domain users cannot make these changes.

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

SAS Enterprise Guide vs. SAS Studio

What’s the difference between SAS Enterprise Guide and SAS Studio? How are they similar? Just ask SAS’ Danny Modlin.

Find more tutorials on the SAS Users YouTube channel.

SAS Training: Just a Click Away

 Ready to level-up your skills? Choose your own adventure.

Browse our catalog!

Discussion stats
  • 5 replies
  • 1835 views
  • 0 likes
  • 3 in conversation