SAS and IWA: Two Hops – platformadmin.com

Update 26Sep2018: This post is now several years old and naturally technology and security have progressed in that time. For more up to date information regarding delegation and, in particular, the requirement for constrained delegation when working with Windows Defender Credential Guard in Windows 10 and Windows Server 2016, please see Stuart Rogers’ very useful SAS Global Forum 2018 Paper: SAS 9.4 on Microsoft Windows: Unleashing Kerberos on Apache Hadoop.

In an earlier post I mentioned that I would jot down a few notes about my experiences with SAS® software and Integrated Windows Authentication (IWA). This is the first of these posts and concerns the initial configuration. Chances are, if you knew you wanted to use IWA before you installed SAS, then it would have been discussed and implemented during the initial installation and configuration. If you decided to implement IWA after the fact then you would most likely have followed the instructions from either:

A basic SAS and IWA configuration might then look something like this. In the diagram below we have a client PC (saspc001), a dedicated metadata server machine (sasmeta) and an application server machine (sasapp). This is a homogenous environment consisting of all Windows machines in the same Windows domain. Other configurations might have multiple domains that trust each other, and now with SAS 9.3, some of the SAS servers may also be UNIX based (assuming the prerequisites are met).

In the diagram above a SAS Enterprise Guide user working on the saspc001 workstation initially connects (1) to the SAS Metadata Server on sasmeta using a connection profile with IWA enabled. When they run a project, an IWA connection (2) is then made to the SAS Object Spawner on sasapp to launch a standard SAS Workspace Server to execute the SAS code. The logical SAS Workspace Server has been configured in metadata to accept IWA connections. Both of these IWA connections involve only 1-hop from the workstation: saspc001 to sasmeta, and saspc001 to sasapp.

Problems might then arise when secondary connections need to be made from the workspace server to additional servers and access denied errors are seen in the SAS log. One example of a secondary connection includes executing code on the workspace server that reads a CSV or XML file from another file server (filesrv) using a UNC path (e.g. \\filesrv\share\file.xml). Another example might be assigning a library in the workspace server session that uses SAS/ACCESS Interface to ODBC or SAS/ACCESS Interface to OLEDB to connect to a Microsoft SQL Server database on another server (sqlsrv). These examples are shown in the diagram below as (3) and (4) respectively.

Both of these example involve IWA being used in 2-hops from the client. In the first hop (2) IWA is used to connect from saspc001 to sasapp as before. In the second hops the SAS workspace server process has to then connect and authenticate to the secondary servers: sasapp to filesrv (3), and sasapp to sqlsrv (4). It is these second hops which may fail if additional measures have not been taken:

Trusted for Delegation: the intermediate server (sasapp in this example – where the workspace server is running) needs to configured in Active Directory as Trusted for Delegation. This must be done by a domain admin. This configuration is mentioned in the SAS Intelligence Platform: Security Administration Guide on the Windows Privileges page for both SAS 9.2 and SAS 9.3. In a future post I’ll show the method I use as a non-domain-admin to double check this as part of the troubleshooting process.
Force Kerberos: you also need to ensure the Kerberos protocol is used and not NTLM. Whilst you could get all of your users to configure their SAS client connection profiles to use Kerberos, it is usually preferable to leave the clients alone and instead configure the SAS servers to only offer Kerberos and not NTLM. This is documented in the in the SAS Intelligence Platform: Security Administration Guide on the How to Force Use of Kerberos page for SAS 9.2, and the How to Configure Integrated Windows Authentication page for SAS 9.3. Things can get a bit trickier when DNS host aliases (or CNAMEs) are used in environments configured for disaster recovery. In a future post I’ll show some examples of additional Service Principal Names (SPNs) that might be required in these situations.

So if you find yourself getting access denied messages when using SAS and IWA in situations where multiple hops are involved, I hope this post gives you some ideas of things to investigate further.

For more posts in this series have a look at the IWA tag.

7 thoughts on “SAS and IWA: Two Hops”

I completely missed this post! I implemented this at a client one time and slowly got through these challenges. I wish I had this article at the time so I could have all of these details in one place! The biggest help for me was having a good security administration onsite to help with the Active Directory configuration.

Thanks for your comment Steve. That’s a great point you make too. Having a good relationship with the AD guys really helps a SAS platform admin with configuring IWA and also with identity synchronization too.

Great article. Does the SQL server need to know an spn for the workspace server session requesting access?

Thanks Victor. The connection is initiated from the SAS Workspace Server so depending on the connection parameters used, in some instances, you may need to add an additional SPN in AD for the SQL Server instance. I have done this in the past and I think it might also have been an instance where SQL Server was running using a dedicated service account. I’ll try to dig up my notes and add another blog post about it.

Thank you Paul!

Thanks Paul. Agree with Steve Overton about all details in one spot. Experiencing same situation at client site with EG 6.1 and LIBNAME w/ODBC connecting through SAS 9.4 to MS SQL server database. Been through all Platform 9.4 Security Admin doc and SAS support. Things are locked down here and currently working with NetOps sysadmin to try and resolve.

Thanks Gary. I hope it helps you resolve your situation.

Steve Overton says:

30 June 2012 at 00:40

I completely missed this post! I implemented this at a client one time and slowly got through these challenges. I wish I had this article at the time so I could have all of these details in one place! The biggest help for me was having a good security administration onsite to help with the Active Directory configuration.
Paul Homes says:

30 June 2012 at 11:38

Thanks for your comment Steve. That’s a great point you make too. Having a good relationship with the AD guys really helps a SAS platform admin with configuring IWA and also with identity synchronization too.
Victor says:

13 December 2012 at 16:38

Great article. Does the SQL server need to know an spn for the workspace server session requesting access?
Paul Homes says:

13 December 2012 at 19:12

Thanks Victor. The connection is initiated from the SAS Workspace Server so depending on the connection parameters used, in some instances, you may need to add an additional SPN in AD for the SQL Server instance. I have done this in the past and I think it might also have been an instance where SQL Server was running using a dedicated service account. I’ll try to dig up my notes and add another blog post about it.
Victor says:

6 January 2013 at 02:50

Thank you Paul!
Gary Krynicki says:

9 January 2014 at 23:51

Thanks Paul. Agree with Steve Overton about all details in one spot. Experiencing same situation at client site with EG 6.1 and LIBNAME w/ODBC connecting through SAS 9.4 to MS SQL server database. Been through all Platform 9.4 Security Admin doc and SAS support. Things are locked down here and currently working with NetOps sysadmin to try and resolve.
Paul Homes says:

10 January 2014 at 05:21

Thanks Gary. I hope it helps you resolve your situation.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

7 thoughts on “SAS and IWA: Two Hops”

Leave a Reply