When using Integrated Windows Authentication (IWA), the following error might occur when you attempt to access network resources. For example, this error can appear while accessing a library that refers to a universal naming convention (UNC) or database:

This problem with accessing network resources when you use IWA is not a limitation with SAS^® software. It is a limitation in the underlying Windows Authentication mechanism. For details, see the limitations that are listed in the section Integrated Windows Authentication in the SAS^® 9.4 Administration documentation.

The relevant limitation that is noted in this document is as follows:

The object spawner account is the account that runs the object spawner. This account can either be the local system on Windows systems or a service account.

Note: In most cases, an object spawner on Windows runs as a service under the local system account. If the spawner instead runs under some other account, that account must be a Windows administrator on the spawner's host and have the Windows user rights Adjust memory quotas for a process, Replace a process level token, and Act as part of the Operating System. These user rights assignments are part of the local security policy for the Windows computer that hosts the spawner.

• To enable the delegation privilege follow the steps in Trusted for Delegation. This configuration of delegation is trusted to any Kerberos service.
• Constrained delegation is supported with SAS^® 9.4M6 (TS1M6) or greater. This configuration of delegation trusts specific services for delegation.
  See SAS Note 63143, "Windows Defender Credential Guard and SAS^® Software," for SAS 9.4M6 information and required hot fixes. See How to Configure Kerberos Constrained Delegation for SAS^® 9.4M7 (TS1M7) and greater post-installation steps.
  Note: The SAS 9.4M7 release and higher installations are shipped with the required hot fixes built into the new release.

Setting up constrained delegation for accessing UNC paths is slightly different. When Windows is accessing a UNC Common Internet File System (CIFS) path on the client-user's behalf, it uses Server Message Block (SMB), which runs under the local system account. In this use case, the local system/computer account is the trusted identity for delegation to the specified services. The service principal name (SPN) cifs is registered under the computer object in Active Directory. For example, if you are trying to access \\myfileshare\myfolder from a SAS server (for example, mysasserver), the cifs SPN would be registered under the myfileshare computer object in Active Directory and the computer object for mysasserver would be trusted to delegation to cifs/myfileshare. 

1. You must be a domain administrator or have Delegate Control permissions in Active Directory for the organizational unit that holds the service accounts that need to be modified.
2. In Control Panel ► System and Security ► Administrative Tools, start Active Directory Users and Computers.
   1. Locate the Computers object and click it.
   2. In the right pane, locate the computer object for the SAS server of the object spawner or workspace server.
   3. Right-click on the desired computer object and select Properties.
   4. In the Properties panel, select the Delegation tab.
   5. Select Trust this computer for delegation to specified services only:
      1. Select Use any authentication protocol.
      2. Click Add.
         1. In the Add Services panel, click Users and Computers.
            1. Enter the name of the computer to be accessed via the UNC path.
            2. Click OK.
         2. Select cifs computer-name and click OK.
         3. Repeat as necessary to add all desired services.

You should carefully consider whether to enable delegation because there are security risks that are involved when delegation is enabled. Delegation is a requirement when using Integrated Windows Authentication (IWA) and accessing resources off the server. If delegation cannot be granted within your organization, resources off the server will not be accessible, and another authentication mechanism will need to be researched for access.

Operating System and Release Information