My last post was about configuring additional Service Principal Names (SPNs) in Active Directory to support the use of Integrated Windows Authentication (IWA) in a SAS® platform installation that uses host name aliases in preference to physical host names.
When working on a SAS & IWA setup like this, I’d start by reviewing the currently registered SPNs for all of the SAS servers involved (as well as any other servers that might be accessed from a SAS server using IWA). This gives an idea of what SPNs might have already been added, which ones still need to be added, and potentially which ones might need to be removed.
This is the command I use (with sample output) to view all of the currently defined SAS related SPNs on each server machine in turn (in this example p106548 is the physical host name). You don’t need to be a domain admin to run this command.
C:\> setspn -l p106548 | find “SAS/” | sort
SAS/P106548
SAS/P106548.example.com
SAS/P106548.example.com:7551
SAS/P106548.example.com:8561
SAS/P106548.example.com:8581
SAS/P106548.example.com:8591
SAS/P106548:7551
SAS/P106548:8561
SAS/P106548:8581
SAS/P106548:8591
I find that sorting the results makes it easier to spot holes where additional SPNs might be needed, SPNs that stick out due to typos, and the output can be readily copied & pasted into documentation as the basis of new commands to add the new host name alias based SPNs.
For more posts in this series have a look at the IWA tag.