System Options for SAS Application Server Components

SECPACKAGELIST System Option

Specifies the security authentication packages used by the server.

Valid in:	configuration file, SAS invocation, metadata
Category:	System Administration: Security
	Environment control: Initialization and operation
PROC OPTIONS GROUP=	EXECMODES
	SECURITY
Default:	"Kerberos,NTLM"
Restriction:	Windows operating environment
Applies to these servers:	workspace, stored process, OLAP, metadata, table, CONNECT
See:	SECPACKAGE System Option
	SSPI System Option

Syntax
Syntax Description
Details
Examples
See Also

Syntax

-secpackagelist "package-name-1,[package-name-2,][...,]"

Syntax Description

"package-name"

Identifies the security package that is used by the server in order to authenticate incoming client connections. The default is "Kerberos,NTLM".

Enclose the security package name within double quotation marks ("). Delimit an additional package name with a comma (,).

Details

The SECPACKAGELIST system option, in conjunction with SECPACKAGE, identifies to the IOM server one or more security packages that can be used to authenticate incoming client connections. The default value of SECPACKAGELIST is Kerberos and NTLM.

To use the SECPACKAGELIST system option, SECPACKAGE must be set to negotiate. The IOM server requires these two security package options to support single sign-on (SSO) to IOM servers. The connecting client should initialize with a security package name that matches what you have specified on the server. The negotiate value allows the client and server to negotiate a site-specific package to use.

Examples

EXAMPLE 1:

In the following example, the IOM server specifies either Kerberos or NTLM security for authenticating incoming client requests:

-sspi
-secpackage "negotiate"
-secpackagelist "Kerberos,NTLM"

EXAMPLE 2:

In the following example, the IOM server specifies Kerberos security only for authenticating incoming client requests:

-sspi
-secpackagelist "kerberos"

In the preceding example, SECPACKAGE does not have to be specified because it defaults to negotiate. The only protocol in the list to negotiate is Kerberos. Therefore, all clients that connect to the server must use Kerberos or fail the connection. It is important that the protocols of both the client and server match. The client is also forced to use Kerberos if the server displays only Kerberos in the package list.

EXAMPLE 3:

In the following example, the IOM server specifies NTLM security only for authenticating incoming client requests:

-sspi
-secpackagelist "ntlm"

In the preceding example, SECPACKAGE does not have to be specified because it defaults to negotiate. The only protocol in the list to negotiate is NTLM. Therefore, all clients that connect to the server must use NTLM or fail the connection. It is important that the protocols of both the client and server match. The client is also forced to use NTLM if the server displays only NTLM in the package list.