Desktop productivity for business analysts and programmers

how to use kerberos

Reply
Regular Contributor
Posts: 220

how to use kerberos

Hi All,

some users cannot accesss windows share through SAS server and i am trying to use kerberos to address the problem. I have configured intigrated windows authentication, have in place

security package=negotiate

security package list= Kerberos,NTML

I am follwoing below link but its not giving me clear picture what are the steps to user kerberos - if some can guide please.

http://support.sas.com/documentation/cdl/en/bisecag/61133/HTML/default/viewer.htm#a003310603.htm

Thanks!

Community Manager
Posts: 2,697

Re: how to use kerberos

I don't have specific answers, but I do recommend that you check this series of excellent blogs by :

Kerberos - platformadmin.com

Chris

Super Contributor
Posts: 387

Re: how to use kerberos

(Thanks for the mention Chris)

Assuming the clients have already been configured for IWA, I'd start by checking the metadata server and object spawner logs using a candidate workstation and user to verify that IWA with Kerberos is being used for the connection.  There is more info on verifying this in the blog post: SAS & IWA: Check the Logs

If the connections are not IWA+Kerberos I'd check the client connection profile to ensure IWA is selected, and also double check the server configs (and metadata) to ensure IWA is enabled and only Kerberos is offered. Whilst the client connection profile can be configured for specific protocols and SPNs it's easier from a deployment perspective to configure everything at the server end so only basic config is required on the client (i.e. just ticking the IWA checkbox). There's info and links to SAS doco in this post: SAS and IWA: Two Hops

If the client and server configs are all ok and IWA+Kerberos is still not being used, I'd check the SPNs. If the logical names used to connect to the servers are different from the physical hostnames then you will need to add additional SPNs (done in AD by a domain admin).  Logical and physical hostname differences occur when DNS aliases are used, often for portability or disaster recovery options. There is more info in these blog posts: SAS & IWA: Host Name Aliases and SPNs and SAS & IWA: Reviewing SPNs

Once you have IWA+Kerberos connections to the metadata server and workspace server(s), to get further IWA access to secondary/additional servers (e.g. UNC paths and/or access to SQL Server) from the workspace server(s) you need to get a domain admin to mark the workspace server(s) as trusted for delegation in AD.  There's info about how non-admins can verify that status in this blog post: SAS & IWA: Verifying Trusted for Delegation Status

Hope this helps.

Cheers

Paul

Regular Contributor
Posts: 220

Re: how to use kerberos

Thanks Paul and Chris for your feedback. this info. will definitely help...

Regular Contributor
Posts: 220

Re: how to use kerberos

@ Paul -

i checked out metadata server log and obj. spaw. log as it mentioned in notes that you have provided, it looks gd.

but, i am am not able to find which one is machine account in Active Directory? how can i reach out there to make sure radio button for “Trust this computer for delegation to any service (Kerberos only)“ is marked or not.

thanks...

Super Contributor
Posts: 387

Re: how to use kerberos

It's the computer account in AD for the workspace server machine. If you have a clustered logical workspace server it will need to be done for each of the associated machines. Have a chat to your domain admin as they will have the necessary tools and permissions to do this. Normal domain users cannot make these changes.

Ask a Question
Discussion stats
  • 5 replies
  • 320 views
  • 0 likes
  • 3 in conversation