A credential gap is a situation in which
a user doesn't seamlessly access the workspace server for any of these
reasons:
-
Server configurations are incorrect,
incomplete, or incompatible.
-
The user's context doesn't include
credentials that are known to the workspace server's host.
-
The user's context doesn't pair
credentials that are known to the workspace server's host with the
workspace server's authentication domain.
-
The workspace server is on Windows,
using credential-based authentication and the user's host account
doesn't have the Windows privilege
Log on as a batch job.
The usual symptom of
a credential gap is a prompt for a user ID and password after a user
makes a request that requires a workspace server. A credential gap
can be problematic for these reasons:
-
The prompts interrupt the user
experience.
-
Users have to know credentials
that are valid for the workspace server's host and know that those
are the correct credentials to provide.
-
Not all middle-tier services and
Web applications prompt for credentials (and, without a prompt, the
user request fails).
You can use the following
list to help troubleshoot a credential gap.
Troubleshooting Credential Gaps
If the user initially logs on via Web authentication
The user's initial logon
doesn't add a password to the user's context. Make sure that the Web
application uses some form of pooling. If the problem persists, consider
configuring the workspace server to use SAS token authentication.
If the user initially logs on via Integrated Windows authentication
The user's initial logon
doesn't add a password to the user's context. Configure the workspace
server for Integrated Windows authentication (IWA).
If the user logs on with a user ID that ends in @saspw
Tell the user that they
get the prompt because they are using an internal account. When the
user gets the additional prompt, they must enter a user ID and password
that are known to the workspace server's host. The host account must
correspond to a metadata identity that has ReadMetadata permission
for the server definition. On Windows, the host account must have
the
Log on as a batch job privilege.
If the user's connection profile contains an @saspw user ID
The user's context doesn't
pair the credentials from the user's initial logon with the DefaultAuth
authentication domain. Tell the user to create a new connection profile
with external credentials (and no value in the
Authentication
domain field) and try again. To ensure optimal credential
reuse, users shouldn't use the same connection profile for both internal
and external accounts.
If the user's connection profile has a value other than DefaultAuth
for the authentication domain
The user's context doesn't
pair the credentials from the user's initial logon with the DefaultAuth
authentication domain. Tell the user to either clear this field or
enter the value
DefaultAuth
and try
again.
If the user is in SAS Enterprise Guide and accessing a workspace
server that is set to prompt
Verify the logical workspace
server’s
Options settings. If the
setting is intentional, tell the user to supply host credentials.
If the workspace server is not assigned to the correct authentication
domain
Credential reuse might
be impaired. In most configurations, the workspace server should be
in DefaultAuth. To verify (and, if necessary, correct) the workspace
server's authentication domain assignment, select the
Plug-ins tab in SAS Management Console, navigate to
the server
, select its connection object
, right-click, and select
Properties. The authentication domain assignment is on the
Options tab.