Yesterday I wrote a post about configuring a SAS® 9.4 M2 installation on Linux for Integrated Windows Authentication (IWA) with mid-tier fallback form-based authentication to handle situations where IWA was not available or was disabled. I also repeated this configuration with a SAS Visual Analytics 7.1 installation (based on SAS 9.4 M2). This means that domain users within an organisation, who can participate in IWA, can simply open a browser, navigate to SAS Visual Analytics, and be logged in automatically using their Windows login. Other users without a domain account, on a machine that is not in the domain, or who have deliberately disabled IWA in their browser, will see the familiar SAS Logon Manager login form where they can manually provide a user id and password.
One of the other reasons I built this configuration was to find out what happened with SAS Visual Analytics Guest Access in an IWA fallback configuration like this. Essentially, I wanted to find out if I could get maximum flexibility by supporting IWA users, form-based authentication users, and guest/anonymous access all at the same time.
One of the reasons I wanted to test this was a reference I remembered seeing in the SAS documentation. The Web Authentication section of the SAS 9.4 Intelligence Platform: Security Administration Guide, Second Edition, lists one of the limits of Web Authentication as “Not compatible with anonymous access”. This is also repeated in the PUBLIC Access and Anonymous Access section too.
It makes sense that anonymous access is not compatible with web authentication in a standard non-fallback configuration. If authentication is automatic and it fails then access is denied. An IWA fallback configuration is slightly different though – you have a choice whether to do web authentication or SAS authentication (e.g. IWA or non-IWA). If you choose SAS authentication then perhaps anonymous access might still be available as an option. I decided to test it out.
I ran 4 test scenarios to see how they were handled in an IWA with fallback configuration:
Continue reading “SAS Visual Analytics Guest Access with IWA Fallback”
I’ve just finished a challenging but very rewarding experience configuring a SAS 9.4 M2 platform on Linux to use Integrated Windows Authentication (IWA), for both server and mid-tiers ….. without using Quest Authentication Services.
The SAS platform has supported IWA on Linux since SAS 9.3 but until recently has only supported it when you “purchase, install, and configure an additional third-party product (Quest Authentication Services 4.0)”.
I’ve been wanted to do a SAS + Linux + IWA config for a while but had put it off because of the Quest requirement. What brought it back to the front of my mind was talking to someone recently about implementing IWA for a SAS Visual Analytics installation on Linux. They wanted to provide seamless login via IWA for most users, but also provide form-based logins for people who couldn’t use IWA.
I remembered seeing this section from the What’s New in SAS 9.4 (SAS 9.4 Intelligence Platform):
In the second maintenance release for SAS 9.4, Integrated Windows Authentication on Linux systems no longer requires the use of Quest Authentication Services. SAS can leverage the libraries that are shipped with the supported operating system or that are provided in most third-party authentication solutions.
It sounded like SAS 9.4 M2 would allow me to build such a config, without using Quest, and use the standard Linux libgssapi_krb5 package instead. At the same time I also remembered reading a great SAS Global Forum paper by Zhiyong Li on mid-tier fallback authentication: this is where you can configure the SAS mid-tier to fallback to form-based authentication in situations where IWA is not available or has been disabled (like you might do when you want to login using a different second identity). These both sounded like great challenges [ and fun :) ], so I set about confirming my understanding of these possibilities with SAS 9.4 M2 by doing both at the same time.
After a few days of research, implementation, testing and debugging, I finalized the config last night. I got quite a buzz out of some of the mind-bending troubleshooting sessions and it was a very rewarding outcome. Other than a few relatively minor issues to resolve, it is all working very well now.
If I get some time I’ll try to write up a few blog posts with more detail on the steps, issues, troubleshooting techniques and resolutions. In the meantime here’s an outline of the approach I took:
Continue reading “IWA with SAS 9.4 M2 on Linux”
This is a follow-up to my prior post on Getting SAS® Software running on Arch Linux 64-bit. In my quest for a new Linux distro the next stop was CrunchBang Linux. I like the look of CrunchBang because it’s lightweight, based on Debian, and uses Openbox by default. Being Debian based, like Ubuntu, I get to re-use the knowledge I gained from using Ubuntu over the last few years (it’s hard not to automatically type apt-get whenever I want to install something!). CrunchBang is not a rolling release distro like Arch or Gentoo but it’s other attributes make it well worth a look. I’ve seen a disclaimer on the web site where they say it “… could possibly make your computer go CRUNCH! BANG!” but from everything else I’ve read it sounds pretty stable. Anyway, I like my (own) computers to go crunch bang every now and then – it’s a great opportunity to learn something new ;)
I installed the CrunchBang 11 “Waldorf” 64-bit testing image in a multi-boot configuration, alongside Arch and Ubuntu, to test it with our existing SAS deployments. These are the steps I needed to take to get the existing SAS software installation running on CrunchBang 64-bit. As with Arch, no changes were needed to the SAS deployments, it just required a few minor changes and additional libraries for the CrunchBang installation.
After CrunchBang had been installed and I’d mounted the SAS installation volume, I tried to run SAS 9.3 M2 first and got the following error: Continue reading “Getting SAS Software running on CrunchBang Linux 64-bit”
Recently, I’ve been looking to switch from Ubuntu to an alternative distro as the primary Linux platform for our Metacoda development/testing environments, where we also run SAS® software. I’ve run quite a few distros in my time including Slackware, RedHat (pre-Fedora), Fedora, Gentoo & Ubuntu. Ideally I’d like something lighter and perhaps a rolling release too: lighter, so more resources go to SAS; rolling release, because given the choice I prefer regular small upgrades to occasional big upgrades. One of the potential candidates is Arch Linux and so I’ve recently installed it, in a multi-boot configuration with the existing Ubuntu installation, to test it with our existing SAS installations. This is one of the things I love about running SAS on Linux. The SAS software gets installed and configured once and the underlying operating system can be completely upgraded or replaced without having to re-install SAS. It might just take the installation of a few libraries to get everything working again but that’s not much compared to the effort of re-installing and configuring our SAS 9.3 M2, SAS 9.3 M0, SAS 9.2 and SAS 9.1.3 SP4 dev/test environments.
These are the steps I needed to take to get the existing SAS software installation running on Arch Linux 64-bit. No changes were needed to the SAS deployments, it just required a few additional libraries to be added to the Arch installation. If you’re wondering why several SAS versions?, it’s because we need to test our Metacoda software with each of them. The SAS 9.3 and 9.2 installations are 64-bit and the older SAS 9.1.3 installation is 32-bit (so takes a bit more work).
SAS 9.3 (and 9.2)
After Arch had been installed and I’d mounted the SAS installation volume, I tried to run SAS 9.3 M2 first and got the following error: Continue reading “Getting SAS Software running on Arch Linux 64-bit”
Whilst troubleshooting why my SAS 9.3 Framework Data Server wasn’t starting I discovered that, unlike Foundation SAS where the license (a.k.a. SID or setinit) is applied once a year, the SAS Framework Data Server requires the presence of a setinit.sas during every start up. Mine had been deleted. I’m not 100% sure how that came to be but I suspect it was probably one of two things: Continue reading “SAS 9.3 Framework Data Server (and the missing license)”