Credential Gaps

A credential gap is a situation in which a user doesn't seamlessly access the workspace server for any of these reasons:
  • Server configurations are incorrect, incomplete, or incompatible.
  • The user's context doesn't include credentials that are known to the workspace server's host.
  • The user's context doesn't pair credentials that are known to the workspace server's host with the workspace server's authentication domain.
  • The workspace server is on Windows, using credential-based authentication and the user's host account doesn't have the Windows privilege Log on as a batch job.
The usual symptom of a credential gap is a prompt for a user ID and password after a user makes a request that requires a workspace server. A credential gap can be problematic for these reasons:
  • The prompts interrupt the user experience.
  • Users have to know credentials that are valid for the workspace server's host and know that those are the correct credentials to provide.
  • Not all middle-tier services and Web applications prompt for credentials (and, without a prompt, the user request fails).
You can use the following list to help troubleshoot a credential gap.

Troubleshooting Credential Gaps

If the user initially logs on via Web authentication
The user's initial logon doesn't add a password to the user's context. Make sure that the Web application uses some form of pooling. If the problem persists, consider configuring the workspace server to use SAS token authentication.
If the user initially logs on via Integrated Windows authentication
The user's initial logon doesn't add a password to the user's context. Configure the workspace server for Integrated Windows authentication (IWA).
If the user logs on with a user ID that ends in @saspw
Tell the user that they get the prompt because they are using an internal account. When the user gets the additional prompt, they must enter a user ID and password that are known to the workspace server's host. The host account must correspond to a metadata identity that has ReadMetadata permission for the server definition. On Windows, the host account must have the Log on as a batch job privilege.
If the user's connection profile contains an @saspw user ID
The user's context doesn't pair the credentials from the user's initial logon with the DefaultAuth authentication domain. Tell the user to create a new connection profile with external credentials (and no value in the Authentication domain field) and try again. To ensure optimal credential reuse, users shouldn't use the same connection profile for both internal and external accounts.
If the user's connection profile has a value other than DefaultAuth for the authentication domain
The user's context doesn't pair the credentials from the user's initial logon with the DefaultAuth authentication domain. Tell the user to either clear this field or enter the value DefaultAuth and try again.
If the user is in SAS Enterprise Guide and accessing a workspace server that is set to prompt
Verify the logical workspace server’s Options settings. If the setting is intentional, tell the user to supply host credentials.
If the workspace server is not assigned to the correct authentication domain
Credential reuse might be impaired. In most configurations, the workspace server should be in DefaultAuth. To verify (and, if necessary, correct) the workspace server's authentication domain assignment, select the Plug-ins tab in SAS Management Console, navigate to the server icon: server , select its connection object icon: connection , right-click, and select Properties. The authentication domain assignment is on the Options tab.

See Also

Windows Privileges
Credential Management
Integrated Windows Authentication
Copyright © SAS Institute Inc. All rights reserved.