Hi Stuart, I successfully setup Kerberos for SAS Logon Manager but cannot get Kerberos for SAS Cloud Analytic Services to work. From what I understand from your article and from what I read in the documentation there are no additional steps to Configure Kerberos for SAS Cloud Analytic Services or to Configure Kerberos for SAS Launcher Server as it mentions for both: Note: The configuration setting changes are not required in a Windows deployment. So after following instructions to Configure Kerberos for SAS Logon Manager, Kerberos for SASDrive works but when navigating to SASStudioV I get this: Unable to create compute server session. Failed to launch process. Failed to launch process: host=myserver.example.org port=33618 ssl=false Failed to connect to server. Kerberos handshake error. The SAS Viya Deployment Assistant for Windows says all is OK: PS C:\sas\install\powershell-deployment> .\sas-wvda.ps1 -validate all -keytabpath C:\sas\install\kerberos\http.keytab
INFO: sas-wvda version 1.1.08
INFO: Executing on host: myserver
INFO: JAVA_HOME (C:\Program Files\Zulu\zulu-8-jre) points to an installation of Java 8: OK
INFO: 64-bit version of Java 8 found in JAVA_HOME: OK
INFO: Running in a 64-bit environment: OK
INFO: Running PowerShell 5.1 or higher: OK
INFO: Running on Windows Server: OK
INFO: Server is part of a domain: OK
INFO: Running on Microsoft Windows Server 2016 Datacenter: OK
INFO: The version of the .NET Framework is 4.6 or higher
INFO: Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 is installed: OK
INFO: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 is installed: OK
INFO: Validate Postgres User Credentials: OK
INFO: Validate CAS User Credentials: OK
INFO: Host Account for myserver trusted for delegation: OK
INFO: sascas/myserver.example.org is defined: OK
INFO: sascas SPN Account Name = EXAMPLE\cas
INFO: Stored CAS Username matches SPN User: OK
INFO: EXAMPLE\cas is trusted for delegation: OK
INFO: cas has Replace Process Level Token: OK
INFO: cas has Log on as a Service right: OK
INFO: EXAMPLE\cas is a member of the local Administrators group: OK
INFO: HTTP/myserver.example.org is defined: OK
INFO: HTTP SPN Account Name = EXAMPLE\http
INFO: KINIT using keytab: OK
KINIT output:
New ticket is stored in cache file C:\Users\sas\krb5cc_sas
Picked up _JAVA_OPTIONS: -Dsun.security.krb5.debug=false -Djava.security.krb5.conf=C:\sas\install\powershell-deplo
yment\krb5.ini
WARNING: The Postgres service account was not found
INFO: Windows subsystem SharedSection tuning(SharedSection=1024,20480,20480) meets minimum: OK
INFO: TcpTimedWaitDelay is set to 30 : OK
INFO: Win32PrioritySeparation is set to 36 : OK
INFO: TCP ephemeral port range start value (32768) 32768 or less: OK
INFO: TCP ephemeral port quantity (32767) 32767 or greater: OK
INFO: SAS public code signing certs are installed: OK
PS C:\sas\install\powershell-deployment> except for the Postgres account but that is an error in the sas-wvda.ps1 script as it only checks for a local Postgres account where I use a domain account. The launcher log shows this: 2019-11-16 15:00:21.222 ERROR 48112 --- [o-auto-1-exec-4] com.sas.launcher.tklauncher.TKClient : sasdemo(8accc580) [7c5c88af53ed7506] [CLIENT_CONNECT_ERROR] Failed to connect to server: Kerberos handshake error.
2019-11-16 15:00:21.334 ERROR 48112 --- [o-auto-1-exec-4] com.sas.launcher.tklauncher.TKClient : sasdemo(8accc580) [7c5c88af53ed7506] [CLIENT_LAUNCH_ERROR] Failed to launch process: server=TKServer{id='sas-Viya-launcher-server-default:myserver.example.org', name='launcher-server', type=ServerType{name='launcher'}, state=ServerState{name='up'}, host=Host{address=myserver.example.org/10.0.0.10}, port=Port{port=33618}, operatingSystem=OperatingSystem{name='windows', pathSeparator='\', installBasePathPropertyName='sas.launcher.deployment.windows.install-base-path', configBasePathPropertyName='sas.launcher.deployment.windows.config-base-path', scriptExtensionPropertyName='sas.launcher.deployment.windows.script-extension'}, gridEnabled=false, environment=Environment{{}}, sasServicesUrl=SASServicesUrl{url=http://myserver.example.org:80/}, consulUrl=ConsulUrl{url=http://localhost:8500}, vaultUrl=VaultUrl{url=https://localhost:8200}, sslEnabled=false, sslCAList='null', sslCertificate='null', sslPrivateKey='null', spn=ServicePrincipalName{value='sas-launcher/myserver.example.org'}} cause=Failed to connect to server.
2019-11-16 15:00:21.341 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [7c5c88af53ed7506] com.sas.commons.rest.exceptions.ResourceException: Failed to launch process.
2019-11-16 15:00:21.341 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [7c5c88af53ed7506] caused by: com.sas.launcher.tklauncher.ClientException: Failed to launch process: host=myserver.example.org port=33618 ssl=false
2019-11-16 15:00:21.341 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [7c5c88af53ed7506] caused by: com.sas.launcher.tklauncher.ClientException: Failed to connect to server.
2019-11-16 15:00:21.341 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [7c5c88af53ed7506] caused by: com.sas.launcher.error.LauncherRuntimeException: Kerberos handshake error.
2019-11-16 15:00:21.341 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [7c5c88af53ed7506] caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
2019-11-16 15:00:21.341 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [7c5c88af53ed7506] caused by: sun.security.krb5.internal.KrbApErrException: Fail to create credential. (63) - No service creds
2019-11-16 15:00:22.788 ERROR 48112 --- [-auto-1-exec-10] com.sas.launcher.tklauncher.TKClient : sasdemo(8accc580) [a2f2512d14059358] [CLIENT_CONNECT_ERROR] Failed to connect to server: Kerberos handshake error.
2019-11-16 15:00:22.899 ERROR 48112 --- [-auto-1-exec-10] com.sas.launcher.tklauncher.TKClient : sasdemo(8accc580) [a2f2512d14059358] [CLIENT_LAUNCH_ERROR] Failed to launch process: server=TKServer{id='sas-Viya-launcher-server-default:myserver.example.org', name='launcher-server', type=ServerType{name='launcher'}, state=ServerState{name='up'}, host=Host{address=myserver.example.org/10.0.0.10}, port=Port{port=33618}, operatingSystem=OperatingSystem{name='windows', pathSeparator='\', installBasePathPropertyName='sas.launcher.deployment.windows.install-base-path', configBasePathPropertyName='sas.launcher.deployment.windows.config-base-path', scriptExtensionPropertyName='sas.launcher.deployment.windows.script-extension'}, gridEnabled=false, environment=Environment{{}}, sasServicesUrl=SASServicesUrl{url=http://myserver.example.org:80/}, consulUrl=ConsulUrl{url=http://localhost:8500}, vaultUrl=VaultUrl{url=https://localhost:8200}, sslEnabled=false, sslCAList='null', sslCertificate='null', sslPrivateKey='null', spn=ServicePrincipalName{value='sas-launcher/myserver.example.org'}} cause=Failed to connect to server.
2019-11-16 15:00:22.906 ERROR 48112 --- [-auto-1-exec-10] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [a2f2512d14059358] com.sas.commons.rest.exceptions.ResourceException: Failed to launch process.
2019-11-16 15:00:22.906 ERROR 48112 --- [-auto-1-exec-10] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [a2f2512d14059358] caused by: com.sas.launcher.tklauncher.ClientException: Failed to launch process: host=myserver.example.org port=33618 ssl=false
2019-11-16 15:00:22.906 ERROR 48112 --- [-auto-1-exec-10] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [a2f2512d14059358] caused by: com.sas.launcher.tklauncher.ClientException: Failed to connect to server.
2019-11-16 15:00:22.906 ERROR 48112 --- [-auto-1-exec-10] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [a2f2512d14059358] caused by: com.sas.launcher.error.LauncherRuntimeException: Kerberos handshake error.
2019-11-16 15:00:22.906 ERROR 48112 --- [-auto-1-exec-10] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [a2f2512d14059358] caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
2019-11-16 15:00:22.906 ERROR 48112 --- [-auto-1-exec-10] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [a2f2512d14059358] caused by: sun.security.krb5.internal.KrbApErrException: Fail to create credential. (63) - No service creds
2019-11-16 15:00:23.223 ERROR 48112 --- [o-auto-1-exec-4] com.sas.launcher.tklauncher.TKClient : sasdemo(8accc580) [63fb96197eb751c9] [CLIENT_CONNECT_ERROR] Failed to connect to server: Kerberos handshake error.
2019-11-16 15:00:23.334 ERROR 48112 --- [o-auto-1-exec-4] com.sas.launcher.tklauncher.TKClient : sasdemo(8accc580) [63fb96197eb751c9] [CLIENT_LAUNCH_ERROR] Failed to launch process: server=TKServer{id='sas-Viya-launcher-server-default:myserver.example.org', name='launcher-server', type=ServerType{name='launcher'}, state=ServerState{name='up'}, host=Host{address=myserver.example.org/10.0.0.10}, port=Port{port=33618}, operatingSystem=OperatingSystem{name='windows', pathSeparator='\', installBasePathPropertyName='sas.launcher.deployment.windows.install-base-path', configBasePathPropertyName='sas.launcher.deployment.windows.config-base-path', scriptExtensionPropertyName='sas.launcher.deployment.windows.script-extension'}, gridEnabled=false, environment=Environment{{}}, sasServicesUrl=SASServicesUrl{url=http://myserver.example.org:80/}, consulUrl=ConsulUrl{url=http://localhost:8500}, vaultUrl=VaultUrl{url=https://localhost:8200}, sslEnabled=false, sslCAList='null', sslCertificate='null', sslPrivateKey='null', spn=ServicePrincipalName{value='sas-launcher/myserver.example.org'}} cause=Failed to connect to server.
2019-11-16 15:00:23.340 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [63fb96197eb751c9] com.sas.commons.rest.exceptions.ResourceException: Failed to launch process.
2019-11-16 15:00:23.340 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [63fb96197eb751c9] caused by: com.sas.launcher.tklauncher.ClientException: Failed to launch process: host=myserver.example.org port=33618 ssl=false
2019-11-16 15:00:23.340 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [63fb96197eb751c9] caused by: com.sas.launcher.tklauncher.ClientException: Failed to connect to server.
2019-11-16 15:00:23.340 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [63fb96197eb751c9] caused by: com.sas.launcher.error.LauncherRuntimeException: Kerberos handshake error.
2019-11-16 15:00:23.340 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [63fb96197eb751c9] caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
2019-11-16 15:00:23.340 ERROR 48112 --- [o-auto-1-exec-4] com.sas.commons.rest.ExceptionLog : sasdemo(8accc580) [63fb96197eb751c9] caused by: sun.security.krb5.internal.KrbApErrException: Fail to create credential. (63) - No service creds Do you have an idea what is wrong? Bart
... View more