Hi!
Trying to set up an Integrated Windows Authentication. The environment has three linux servers: Mid-tier/Metadata, SASApp and SASApp_VA (9.4_M6).
I have set up AD (Win srv 2019) and PAM authentication (sssd, Kerberos) for AD users at Linux servers.
I have followed the instructions from https://platformadmin.com/blogs/paul/2015/02/sas-mid-tier-linux-iwa-fallback-config-notes/, https://support.sas.com/resources/papers/proceedings16/SAS3443-2016.pdf pluss several other community posts and documents. The goal is to use IWA with VisualAnalytics with fallback. But as it is a but tricky, it would be logical to go step by step, it means at first SMC and EG, later web (plus ABM/CPM we have).
With regular login procedure everything works fine. Then, created keytab files for servers and added SPN for the User accounts meant for the IWA service, modified the level_env_usermods.sh files.
Logging in to SMC and EG with IWA looks promising. Even browsing Servers from EG and running simple commands (proc setinit;). SMC looks also fine but when trying to validate Server Manager -> SASApp (or SASApp_VA) -> SASApp - Logical Workspace Server if doesn't do anything. When clicking with right mouse button, the cursor goes to waiting circle and no menu appears. So it doesn't validate the Workspace Server. I have tried to debug Workspace Server, Object Spawner and Metadata (logconfig.trace.xml) but nothing special shows up.
When using profile with manually entered credentials, it asks for credentials for validation:
So we have two issues.
1) Is it possible to set up a fallback for SMC when IWA is broken (this means, when I have logged in to SMC, it can validate Workspace Server with current non-IWA credentials) and
2) why it doesn't validate the Workspace Server when using IWA.
Concentrating to the 2nd issue, it looks like I haven't configured the Workspace Server correctly for IWA but I can't find anything I missed.
AD / PAM / krb (default_ccache_name = FILE:/tmp/krb5cc_%{uid}) / SPN - check
keytab files created - check
level_env_usermods.sh - check (after this step IWA for MSC and EG works)
Server Manager -> SASApp -> SASApp - Logical Workspace Server -> (properties) -> Options tab -> Authentication service (-> host) and Security package (-> Kerberos) has selected - check
According to https://communities.sas.com/t5/SAS-Communities-Library/How-to-generate-a-Kerberos-ticket-when-you-log-in-to-SAS-Studio/ta-p/587573 the Workspace Server should know the user's kerberos ticket file. So the 5th step is also done. Also %put KRB5CCNAME: %sysget(KRB5CCNAME); shows keytab file and looks good. Step 2 was default at my environment (PAM_SETCREDENTIALS=TRUE) but it also didn't change anything (is it necessary?).
What else? What I'm missing? I'd appreciate much any hint.
I'm afraid there's no point to move on with web IWA until validating the Workspace Server is works fine.
Thanks!
Priit L
... View more
