SAS and IWA (Integrated Windows Authentication) Notes

Over the past year I have worked on a number of SAS® 9.2 platform installations helping to get Integrated Windows Authentication (IWA) working nicely for single sign-on (SSO) for the SAS platform.

Whilst it’s relatively easy to turn IWA on, it can get a bit trickier when you try to go a bit further than the initial connection. Some of the situations I have encountered and resolved along the way have included:

  • SAS Enterprise Guide clients using IWA and running projects on SAS Workspace Servers accessing files from other servers using UNC paths (e.g. \\server\share\file.csv). This required configuring the workspace server machine as trusted for delegation and forcing the use of Kerberos.
  • SAS Enterprise Guide clients using IWA and running projects on a SAS Workspace Server accessing a further SQL Server database using OLEDB and IWA. This also required trusted for delegation and Kerberos as well as options on the OLEDB library definition.
  • Using a SAS Workspace Server to access a further SQL Server database using ODBC and IWA.
  • All of the above where all of the connections were made using host name aliases (DNS CNAMEs) rather than the physical machine names to support transparent disaster recovery switch-over. This involved adding additional host name alias based SPNs for seamless IWA.
  • Scheduled deployed SAS Data Integration jobs run using Operating System services running as the local system account getting IWA access to a SQL Server database running with a specific service account and not the local system account.
  • IWA access to the SAS PC Files Server.

Getting all the stars aligned and making sure IWA is available and used in as many situations as possible can require a few additional steps. Testing and confirming that IWA Kerberos connections were actually being made rather than cached-credential based connections required careful attention to SAS log messages.

Along the way I’ve gathered a few notes and tips and was working on compiling a single blog post so I would have ready access to the information for next time. After a while it became clear this blog post was going to be a monster and so I’ve decided to break it up into a series of smaller more focused posts on specific topics. This will make it more manageable and I can then post them individually as I complete them.

The topics I’m planning on posting about include:

  • Forcing the use of Kerberos.
  • Making intermediate servers Trusted for Delegation.
  • Using AdExplorer to confirm Trusted for Delegation status.
  • Accessing SQL Server databases using SAS/Access Interface to OLEDB and IWA.
  • Accessing SQL Server databases using SAS/Access Interface to ODBC and IWA.
  • SPN requirements for accessing a SQL Server database running as a non-local-system account.
  • Additional SPN requirements for seamless IWA connections when using host name alias based connections to SAS servers for disaster recovery configurations.

Perhaps this can be one of my New Year’s resolutions? Time to get started on the first one.

Please let me know if any of these topics are of particular interest to you, or maybe if you have any other scenarios that you have encountered in your quest for SAS and IWA harmony. In the meantime I hope you all have a great 2012!

6 thoughts on “SAS and IWA (Integrated Windows Authentication) Notes”

  1. Hey Paul,
    Sounds very interesting. I’m going to setup a Lab with multiple virtual machines using ONE Directory Service (AD) for users, groups (me lazy dog me) and want to use kerberos, coz i also want to play with a unix machine as well. So i just can’t wait to get my fingers on it. Which reminds me. I see you use Ubuntu. I for myself love Ubuntu and i like the Ubuntu Server as well, but i got shouted from different directions why not using CentOS as the free Redhat Server.
    What do you think is the most usable Linux derivat for SAS? (HP-UX, AIX etc. the classical commercial unix exluded)
    Best Regards,
    Normen

  2. Hi Normen,

    Thanks for you message.

    With respect to SAS software on Linux I would recommend sticking with the Linux distro’s and versions that are officially supported by SAS Institute, especially when it’s an installation that is, or might turn into a production platform and/or you might need support from SAS Institute during installation or thereafter. The supported platforms are listed in the following document available from the SAS support site: System Requirements for SAS® 9.3 Foundation for Linux for x64

    That document states that:

    SAS is supported on the following operation systems:
    * Red Hat Enterprise Linux 5 update 4 and Red Hat Enterprise Linux 6
    * SuSE Linux Enterprise Server 10 SP3 and 11

    There’s also the more general Supported UNIX Operating Environments page with a matrix of other UNIX platforms, SAS versions and tiers.

    Regarding other distros such as CentOS and Ubuntu there’s SAS Installation Note 43233: Statement of support for CentOS, Ubuntu, and other alternative distributions of Linux that points to the SAS Support for Alternative Operating Systems page. It in turn provides a list of things to consider with regards to support if you decide to go down that route. By my reading it sounds like SAS Institute will do their best to help you where they can, but if it’s a difficult problem that appears as though it might be specific to that unsupported platform you might be left with the unenviable task of re-installing your SAS platform on one of the supported distro’s to get further support. It certainly sounds more sensible to start out on a supported platform in the first place if you think you might ever need support from SAS Institute – which in my opinion would be an essential requirement for any serious production level installation (i.e. anything that’s not a throwaway environment for development, investigation or learning purposes).

    Having said that if the installation is for development, investigation and/or learning purposes, and there’s no requirement for support then it’s definitely possible to install and run SAS on other Linux distros. You will probably run into a few difficulties along the way but there are number of blog and forum posts around that can help you overcome some of the minor issues you might encounter.

    Personally I use Ubuntu because I’ve been using it for quite a while on both the server and the desktop and so that’s what I know best and I haven’t needed any support from SAS as yet. If I find myself in the position that I do need support and need to switch platforms then as a development platform it would be relatively easy for me to move our SAS installation over to RHEL or SuSE.

    I’ve used a few different distros over the years. I worked my way through Slackware, Red Hat, Fedora and Gentoo for a while before I ended up with Ubuntu. Lately I’ve been slightly disillusioned with Ubuntu and have tinkered a bit with others like Arch. That said I’ll probably stick with Ubuntu as a server platform for a while longer mainly because of the amount of time I’ve already invested in it. I wouldn’t necessarily recommend Ubuntu over any other Linux distros – it depends what you want it for. When I chose it a while back it was because it got updated regularly, had easy updates/upgrades (from it’s Debian roots), extensive repositories and huge community support. Other people’s requirements might be different though. Some might know other distros better, can readily find others with skills to help, and maybe need the availability of commercial support from the vendor.

    I don’t actually run Ubuntu on the desktop anymore. About a month ago I switched from Ubuntu to Mac OS X. I realised I was spending way too much time just keeping Ubuntu working on my laptop and needed to free up that time. Whilst I find Linux is a great server platform for me, I have always found Linux on laptops a bit troublesome with lots of my time spent resolving issues with graphics cards, suspend/resume, wifi etc. In the past I liked the challenge but now I need the time so I thought it was time to give the Mac another go.

    BTW since you are looking at including a Linux server in the mix, I guess you’re already aware that to incorporate IWA support for SAS 9.3 servers on UNIX platforms some additional 3rd party software is required. This is documented in the SAS® 9.3 Intelligence Platform: Security Administration Guide under Integrated Windows Authentication where it states:

    In order to use IWA on UNIX, you must purchase, install, and configure an additional third-party product (Quest Authentication Services 4.0).

    There’s also some more detailed info in chapter 4 of the Configuration Guide for SAS 9.3 Foundation for UNIX Environments.

    Cheers
    Paul

  3. Hi Paul,

    You mentioned early on that setting up IWA wasn’t too difficult. Can you point me to documentation that describes this setup?

    Thanks,

    Wayne

  4. Hi Paul,

    Can you go into detail re:

    All of the above where all of the connections were made using host name aliases (DNS CNAMEs) rather than the physical machine names to support transparent disaster recovery switch-over. This involved adding additional host name alias based SPNs for seamless IWA.

    IWA works fine from our Windows XP desktop machines to the Metadata Server/Workspace Server running on Windows Server 2008 Enterprise, using a DNS alias (CNAME) in the EG profile.

    But, I just installed EG 5.1 on the server as well, for those times when we RDP into the server and need EG (usually remote access from home). In that scenario, with EG on the server, IWA fails when I used the DNS alias. The workaround was to specify the actual machine name, which did work.

    It’s not a biggie, but I’m wondering about the details of “adding additional host name alias based SPNs”.

    Cheers,
    Scott

  5. Hi Scott,

    I’m just about to get on a plane to SASGF13, but have a read of the following additional posts in that series and see if they help you resolve your issue:

    SAS & IWA: Host Name Aliases and SPNs. http://platformadmin.com/blogs/paul/2012/04/sas-and-iwa-host-name-aliases-spns/

    SAS & IWA: Reviewing SPNs http://platformadmin.com/blogs/paul/2012/04/sas-and-iwa-reviewing-spns/

    … otherwise drop me a line and we can discuss further.

    BTW there’s a great paper about IWA and Kerberos at SASGF13 and it’s already available online.

    SAS Global Form 2013 Paper 476-2013 by Stuart J Rogers: Kerberos and SAS® 9.4: A Three-Headed Solution for Authentication http://support.sas.com/resources/papers/proceedings13/476-2013.pdf

    … I’m hoping to see it in person myself next week.

    I’ll give you a call when I get back. I’ll be in Sydney for a few days in early May.

    Cheers
    Paul

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.