When testing Integrated Windows Authentication (IWA) based client connections to SAS® platform servers, it is well worth checking the SAS logs to verify the connections are being made the way you expect. SAS has a variety of methods up it’s sleeve to get you authenticated, including cached credentials, retrieving stored credentials from metadata, SAS token authentication etc. Looking in the SAS server logs will help you identify the connection/authentication events and methods used. In the past I’ve thought I was using IWA+Kerberos but when I looked in the log it was obvious I wasn’t! I think it’s essential when testing/troubleshooting a new IWA configuration to review the SAS server logs for both failed and successful connections.
In a previous post “SAS and IWA: Two Hops” I mentioned how sometimes it’s necessary to force the use of Kerberos with IWA to be able to make IWA delegated connections to secondary servers. So here’s some examples of what we might see in SAS server logs to confirm IWA+Kerberos connections.
First an example SAS metadata server log fragment for an IWA+Kerberos connection to a SAS metadata server from the sasdemo account (using SAS Enterprise Guide perhaps):
2012-06-27T09:29:16,802 INFO  :SYSTEM@SASMETA - IWA context established using Kerberos package.
2012-06-27T09:29:16,802 INFO  :sasdemo@MYDOMAIN - New client connection (684) accepted from server port 8563 for IWA user sasdemo@MYDOMAIN. Encryption level is Credentials using encryption algorithm SASPROPRIETARY. Peer IP address and port are [::ffff:192.168.120.34]:1411.
I’ve highlighted in bold the main keywords I look for.
After the initial connection to the metadata server, you might then need to get an IWA+Kerberos connection to a SAS Object Spawner to launch a suitably configured SAS Workspace Server (perhaps to run a SAS Enterprise Guide project). Here’s an example log fragment from the object spawner log for one of those connections:
2012-06-27T09:34:18,115 INFO  SYSTEM@SASCOMP - IWA context established using Kerberos package.
2012-06-27T09:34:18,115 INFO  sasdemo@MYDOMAIN - New client connection (8) accepted from server port 8593 for IWA user sasdemo@DOMAIN. Encryption level is Credentials using encryption algorithm SASProprietary. Peer IP address and port are [::ffff:192.168.120.34]:3988.
2012-06-27T09:34:18,928 INFO  sasdemo@MYDOMAIN - Created process 6376 for user sasdemo@MYDOMAIN (child id 0).
Checking the SAS logs is always a good idea when trying a new configuration, even when things are working, because even though it works, it might not be working quite the way you expect. The SAS log is your friend (a very straight-talking honest one). :)
For more posts in this series have a look at the IWA tag.