Yesterday I wrote a post about configuring a SAS® 9.4 M2 installation on Linux for Integrated Windows Authentication (IWA) with mid-tier fallback form-based authentication to handle situations where IWA was not available or was disabled. I also repeated this configuration with a SAS Visual Analytics 7.1 installation (based on SAS 9.4 M2). This means that domain users within an organisation, who can participate in IWA, can simply open a browser, navigate to SAS Visual Analytics, and be logged in automatically using their Windows login. Other users without a domain account, on a machine that is not in the domain, or who have deliberately disabled IWA in their browser, will see the familiar SAS Logon Manager login form where they can manually provide a user id and password.
One of the other reasons I built this configuration was to find out what happened with SAS Visual Analytics Guest Access in an IWA fallback configuration like this. Essentially, I wanted to find out if I could get maximum flexibility by supporting IWA users, form-based authentication users, and guest/anonymous access all at the same time.
One of the reasons I wanted to test this was a reference I remembered seeing in the SAS documentation. The Web Authentication section of the SAS 9.4 Intelligence Platform: Security Administration Guide, Second Edition, lists one of the limits of Web Authentication as “Not compatible with anonymous access”. This is also repeated in the PUBLIC Access and Anonymous Access section too.
It makes sense that anonymous access is not compatible with web authentication in a standard non-fallback configuration. If authentication is automatic and it fails then access is denied. An IWA fallback configuration is slightly different though – you have a choice whether to do web authentication or SAS authentication (e.g. IWA or non-IWA). If you choose SAS authentication then perhaps anonymous access might still be available as an option. I decided to test it out.
I ran 4 test scenarios to see how they were handled in an IWA with fallback configuration:
Continue reading “SAS Visual Analytics Guest Access with IWA Fallback”
I’ve just finished a challenging but very rewarding experience configuring a SAS 9.4 M2 platform on Linux to use Integrated Windows Authentication (IWA), for both server and mid-tiers ….. without using Quest Authentication Services.
The SAS platform has supported IWA on Linux since SAS 9.3 but until recently has only supported it when you “purchase, install, and configure an additional third-party product (Quest Authentication Services 4.0)”.
I’ve been wanted to do a SAS + Linux + IWA config for a while but had put it off because of the Quest requirement. What brought it back to the front of my mind was talking to someone recently about implementing IWA for a SAS Visual Analytics installation on Linux. They wanted to provide seamless login via IWA for most users, but also provide form-based logins for people who couldn’t use IWA.
I remembered seeing this section from the What’s New in SAS 9.4 (SAS 9.4 Intelligence Platform):
In the second maintenance release for SAS 9.4, Integrated Windows Authentication on Linux systems no longer requires the use of Quest Authentication Services. SAS can leverage the libraries that are shipped with the supported operating system or that are provided in most third-party authentication solutions.
It sounded like SAS 9.4 M2 would allow me to build such a config, without using Quest, and use the standard Linux libgssapi_krb5 package instead. At the same time I also remembered reading a great SAS Global Forum paper by Zhiyong Li on mid-tier fallback authentication: this is where you can configure the SAS mid-tier to fallback to form-based authentication in situations where IWA is not available or has been disabled (like you might do when you want to login using a different second identity). These both sounded like great challenges [ and fun :) ], so I set about confirming my understanding of these possibilities with SAS 9.4 M2 by doing both at the same time.
After a few days of research, implementation, testing and debugging, I finalized the config last night. I got quite a buzz out of some of the mind-bending troubleshooting sessions and it was a very rewarding outcome. Other than a few relatively minor issues to resolve, it is all working very well now.
If I get some time I’ll try to write up a few blog posts with more detail on the steps, issues, troubleshooting techniques and resolutions. In the meantime here’s an outline of the approach I took:
Continue reading “IWA with SAS 9.4 M2 on Linux”
I read some great SAS news this weekend. I found out there’s a new admin related forum on the SAS Communities site! If you head over to http://communities.sas.com/ and look in the list of Communities and Forums you’ll see a new header, Deployment & Administration of SAS Software, and a new forum called SAS Deployment:
In the announcement Mark Schneider, R&D Director – Deployment, SAS Institute Inc. said the following:
“We’ve received quite a few requests for a SAS Community for SAS Administrators, and as an initial response, we’ve created this SAS Deployment Community.”
Thanks to Mark and the SAS Communities administrators for setting up this new forum.
When I read the announcement I also wondered whether the phrase “initial response” and the fact that the new forum is listed under a heading of its own, could mean we might possibly see additional forums in the future on other specific admin topics (like EG Admin, Web Admin, Security Admin etc). What do you think? From my perspective I’m just pleased there’s an admin forum. If it sees so much activity that more specific ones get created down the track that could be a bonus, but for now I’m just happy there’s a new home for admin discussions.
Hope to see you in the new SAS Communities admin forum. :)
These are some of my favourite papers from SAS Global Forum 2011. As a platform administrator and metadata fan I am obviously biased to a specific subset of papers. I’m sure there were many other great papers at the conference, but these are the ones that I liked the most based on my own interests. :)
- Best Practice Implementation of SAS® Metadata Security at Customer Sites in Denmark
Cecily Hoffritz & Johannes Jørgensen
SAS Global Forum 2011 Paper 376-2011
- PDF available from http://support.sas.com/resources/papers/proceedings11/376-2011.pdf
- Single Sign-On Configuration and Troubleshooting for SAS® 9.2 Enterprise BI Web Applications
Stuart J Rogers & Heesun Park
SAS Global Forum 2011 Paper 365-2011
- PDF available from http://support.sas.com/resources/papers/proceedings11/365-2011.pdf
- Using SAS® on UNIX with Multiple Active Directories as Authentication Providers
SAS Global Forum 2011 Paper 369-2011
- PDF available from http://support.sas.com/resources/papers/proceedings11/369-2011.pdf
- Understanding the Anatomy of a SAS® Deployment: What’s in My Server Soup?
Mark Schneider, Donna Bennett, & Connie Robison
SAS Global Forum 2011 Paper 363-2011
- PDF available from http://support.sas.com/resources/papers/proceedings11/363-2011.pdf
- Configuration and Tuning Guidelines for SAS®9 in Microsoft Windows Server 2008
SAS Global Forum 2011 Paper 370-2011
- PDF available from http://support.sas.com/resources/papers/proceedings11/370-2011.pdf
- Considerations for Implementing a Highly Available or Disaster Recovery Environment
Diane Hatcher & Jochen Kirsten
SAS Global Forum 2011 Paper 358-2011
- PDF available from http://support.sas.com/resources/papers/proceedings11/358-2011.pdf
I’ll definitely be recommending these papers in my SAS platform admin consulting and training work, and have done so a number of times already. They offer a great supplement to the standard SAS documentation and provide lots of additional background info for some of the common types of platform admin related questions I hear like:
- “How can I find out more about SAS architecture, what all the components are, and how they fit together?”
- “What’s involved in setting up single sign-on for SAS installations?”
- “What do we need to know about optimizing the performance of SAS software?”
- “How do we secure our SAS content, what are the recommendations, and what should we watch out for?”
- “What happens if we get a hardware failure on our SAS Metadata Server? What things do we need to consider in disaster recovery planning?”
I’ve also added these papers to my reading list so I can find them easily when I need to point someone at them.
Thanks to all the authors for taking the time to prepare, present and publish them to share with the SAS community.