How to Configure Integrated Windows Authentication

Overview

Note: These instructions are for configuring Integrated Windows authentication (IWA) from SAS desktop applications to the metadata server and the workspace server. Before you configure IWA, verify that this is an appropriate choice in your environment. See “Integrated Windows Authentication” on page 143.

Configuration of IWA for desktop applications can involve three distinct locations:

n Client participation in IWA is determined by a setting in each client-side connection profile. If IWA is not selected by a client, IWA is not used for that client.

n Server participation in IWA is affected by invocation commands. For

example, the metadata server cannot use IWA if that server's start command includes the option -nosspi.

n For metadata-aware connections to a workspace server, participation in IWA is also affected by settings in that server's metadata definition.

Instructions

1 If the metadata server or workspace server runs on UNIX, complete the UNIX prerequisite tasks. Before you can use IWA for a SAS server that runs on a UNIX host, you must prepare and configure the UNIX environment. For example:

n You must acquire, install, and configure the required software. For the first maintenance release for SAS 9.4, the only supported implementation of IWA on UNIX requires Quest Authentication Services (QAS) 4.0.1.23 or later. For the second maintenance release for SAS 9.4 on Linux systems, any shared library (including QAS) that implements the GSSAPI with Kerberos 5 extensions can be used. If QAS is present on the host, SAS attempts to load its libraries before attempting to load others to retain legacy behavior.

n You must create a service account and corresponding keytab file.

Participating SAS processes on UNIX must be able to read the keytab file. A keytab file is functionally equivalent to a user's password and should be secured in the same way. The keytab file should be owned by the user and group that is accessing it, and it should have the least permissive access mask (preferably 0600).

n You must set certain environment variables.

These prerequisite tasks should be performed during the installation and initial configuration phases of your deployment. Some of the implementation details differ by UNIX host. For these reasons, detailed instructions for preparing your UNIX host to support IWA are in a separate document. See the chapter "Configuring Integrated Windows Authentication" in Configuration Guide for SAS Foundation for UNIX Environments at http://support.sas.com/

documentation/installcenter.

2 If the metadata server is clustered and runs on Windows, or if your SAS servers are configured using DNS aliases, manually register SPNs. See

“Manual Registration” on page 174.

3 Verify an IWA connection to the metadata server.

a In a client-side connection profile, select the check box that enables Integrated Windows authentication and then attempt to connect.

TIP For example, in the Connection Profile dialog box in SAS Management Console, click Edit. On the Connection Information page of the Edit Connection Profile wizard, select the Use Integrated Windows authentication (single sign-on) check box.

b If the connection fails, verify the following:

n The metadata server's start-up command includes -sspi.

n The advanced IWA settings in your client-side connection profile are Negotiate for the security package, blank (no value) for the service principal name, and Kerberos,NTLM for the security package list.

n Your metadata user definition includes a login that contains your user ID in the correct format. See “User Logins” on page 173.

n You are using a Windows desktop client (the SAS implementation of IWA is not for web applications or UNIX clients).

n If the metadata server runs on UNIX, the prerequisite steps have been successfully completed. (See step 1 above.)

c After the connection succeeds, examine the metadata server log to confirm that an IWA connection was used. If a credential-based

connection occurred, make sure that your password is not cached in the client application.

TIP In SAS Management Console, you can clear the credentials cache by selecting File  Clear Credentials Cache from the main menu.

4 Configure the workspace server’s metadata definition for IWA, and verify an IWA connection to that server.

How to Configure Integrated Windows Authentication 171

TIP If you use IWA for the metadata server, there are no cached credentials from an initial logon. For this reason, it is a good idea to configure IWA for the standard workspace server also, if possible (IWA is not supported on z/OS).

a On the Plug-ins tab in SAS Management Console, expand Server Manager and the application server (for example, SASApp). Right-click the logical server (for example, SASApp - Logical Workspace Server) and select Properties.

b On the Options tab, select the Host radio button (IWA is a form of host authentication).

n Select the Negotiate security package.

n Leave the Security package list as Kerberos,NTLM.

n Leave the Service principal name blank. In a standard configuration, clients expect (and know how to compose) the default SPN. Entering a value here (or on the client side) overrides this default process.

c Log on to SAS Management Console using IWA. Right-click the Logical Workspace Server and select Validate.

d If the connection fails, verify the following:

n The object spawner's start-up command includes -sspi.

n Your metadata user definition includes a login that contains your user ID in the correct format. See “User Logins” on page 173.

n If the workspace server runs on UNIX, the prerequisite steps have been successfully completed. (See step 1 above.)

e After the connection succeeds, examine the object spawner log to verify that the connection to the workspace server was made using IWA. If the spawner log indicates that credential-based authentication occurred (instead of IWA), the user's context includes credentials for the

workspace server's host. Make sure that the user does not have a cached or stored password for the workspace server’s authentication domain.

Note: Even if IWA is configured, any available cached or stored credentials are preferentially used.

5 If the workspace server needs to access Kerberized network resources (such as network file systems or IWA connections to databases):

n Edit the Security package list so that only Kerberos is specified.

n In Active Directory, make the object spawner account trusted for delegation to all services. See “Windows Privileges” on page 19.

6 Inform users that they can select the IWA option when they log on to desktop applications such as SAS Information Map Studio, SAS Data Integration Studio, SAS OLAP Cube Studio, SAS Management Console, and SAS Enterprise Guide. In general, users should not make changes to the advanced IWA settings in their client-side connection profiles.