Hello SAS folks,
A few customers at my client location are experiencing issues while logging into SAS Studio. The way it works is, if the user logs first into IE (after desktop bootup) and then Chrome/Edge, the experience is seamless. But if the user logs first into Chrome/Edge (after desktop bootup), then he gets this error:
"Connection Error to Workspace: Unable to connect to the current workspace server. Select a different workspace error. org.springframework.web.client. Http client error exception: 400 bad request."
and sometimes this error:
"Connection Error to Workspace: the native implementation for the security package could not be found in this path".
Even after logging using the correct sequence, the user is complaining of involuntary timeout sessions after 4-5 hours.
Troubleshooting done so far -
1. Clear the browser cache and reattempt to login to SAS Studio
2. Clear the browse cache, reboot desktop and reattempt to login to SAS Studio
3. Add registry entries for Chrome/Edge to delegate user authentication and authorize SPNEGO as per this SAS article
https://documentation.sas.com/?cdcId=bicdc&cdcVersion=9.4&docsetId=bimtag&docsetTarget=p1871e69gmwdr0n1o182krslc10p.htm&locale=en
4. Change settings for firefox browser as per the article mentioned in #3.
5. Uninstall chrome/edge and reinstall browsers
did not help.
These steps were also done in order to ensure metadata privileges were correct
6. User was added to 2 SAS Studio related groups (SAS Studio usage and SAS report consumer roles).
These steps were also done as mentioned in the article in #3.
7. Verify that there is a mapping already configured:
setspn -F -Q HTTP/hostname.example.com
8.Verify that Kerberos authentication succeeds. Use the kinit command that is provided in the SASHOME\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin directory on Windows and in the /usr/bin directory on UNIX systems.
kinit -k —t keytab-filename-and-path.keytab
user-principal-name -J-Djava.security.krb5.conf=
path-to-Kerberos-file.conf
We opened a SAS support ticket but they kept going back to the link in #3.
i also tried to 1) restart object spawner and 2) clear spawner credentials cache using SAS MC but to no avail
I wanted to see if my client already installed hotfixes A4R004pt but the viewregistry file (in deploymentreg folder) will not run (for some reason) either from the command prompt or manually.
I ran the code (shared by @kalindpatel) from this thread https://communities.sas.com/t5/Administration-and-Deployment/Find-all-User-Accounts-with-an-Internal-Account-Defined/td-p/316867
but it did not return any internal services account (sassvcs@saspw). I only saw sastrust@saspw, webanon@saspw, sasadm@saspw,sasevs@saspw among others . I am scratching my head as to how the existing users were using SAS Studio previously.
The OS is Windows NT 2012 R2 Standard. Metadata, compute and midtier are on 3 separate servers. SAS is v9.4m3 and sas studio is v3.6. When I peeked under the hood on the Windows servers,I did check for two things -
1. Which of the groups/accounts/users need to be allowed to 'log on as a batch user' privileges?
2. Which of the groups/accounts/users need to be listed in the Windows NT Users?
Could someone list the correct scheme for the above 2 questions regarding user privileges?
... View more