Note: The most common reason for
using a custom SPN is to support SAS servers that use DNS aliases.
If your SAS servers are configured using DNS aliases, you must manually
register those aliases (as both
SAS/DNSalias and
SAS/DNSalias.fully.qualified) in order to support Kerberos-based IWA connections.
If you need to use a
service principal name (SPN) that differs from the standard generated
SPN, review the following information.
In a standard configuration
on Windows, SAS servers automatically register their SPN as
SAS/
machine (for example,
SAS/machineA.na.company.com). Clients can construct
the default SPN (because they know the format and machine name), so
you don't have to explicitly provide the SPN.
If you need to use a
custom SPN on Windows:
-
Use the Microsoft tool
setspn. For example:
setspn
-A customValue myServer. This code registers
customValue as the SPN for all servers that run as services under the Local
System account on a machine that is named
myServer. You must be a Windows domain administrator in order to use the
setspn
command.
-
Make sure that all client-side
connection profiles and the logical workspace server definition (if
applicable) specify the new
customValue in the SPN field.
On UNIX, the SPN that
is used must be listed in the keytab file. In addition to running
setspn
to set a custom SPN, and making sure that client
connection profiles use that custom SPN, you must generate a new
keytab file that includes the new SPN. See the chapter "Configuring
Integrated Windows Authentication" in
Configuration Guide
for SAS Foundation for UNIX Environments at
http://support.sas.com/documentation/installcenter .