SUPPORT / SAMPLES & SAS NOTES
Problem Note 57828: The import process fails with a 401 status code when you import SAS® 9.4 Web Report Studio reports with SAS® Management Console or promotion tools
 |  |  |  |
When you import SAS Web Report Studio reports from SAS Management Console or with promotion tools, the import task fails with a 401 status error. When you enable additional CentralAuthenticationService traces within Logon Manager and the Web Infrastructure Platform Client Access application, the following errors appear in the SASServer1_1 localhost*.txt, the SASWIPClient9.4.log, and the SASLogon9.4.log files.
The SASServer1_1 localhost*.txt File
11.11.200.111 - - [01/Mar/2016:15:05:15 -0500] "GET /SASLogon/proxyValidate?pgtUrl=http%3A%2F%2Fmidtier02.xyz.com%3A7980%2FSASWIPClientAccess%2Fj_spring_cas_security_proxyreceptor&ticket=ST-14-TDKoUS4ESa1E0aE4UYuk-cas&service=https%3A%2F%2Floadbalancerhost.xyz.com%2FSASWIPClientAccess%2Fremote%2FServiceRegistry HTTP/1.1" 200 211
11.11.200.111 - - [01/Mar/2016:15:05:15 -0500] "GET /SASLogon/proxyValidate?pgtUrl=http%3A%2F%2Fmidtier02.xyz.com%3A7980%2FSASWIPClientAccess%2Fj_spring_cas_security_proxyreceptor&ticket=ST-14-TDKoUS4ESa1E0aE4UYuk-cas&service=http%3A%2F%2Fmidtier02.xyz.com%3A7080%2FSASWIPClientAccess%2Fremote%2FServiceRegistry HTTP/1.1" 200 211
11.11.200.111 - - [01/Mar/2016:15:05:15 -0500] "POST /SASWIPClientAccess/remote/ServiceRegistry?ticket=ST-14-TDKoUS4ESa1E0aE4UYuk-cas HTTP/1.1" 401 164
The SASWIPClientAccess9.4.log File
2016-03-01 15:05:15,205 [tomcat-http--8] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
2016-03-01 15:05:15,206 [tomcat-http--8] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - Delegating to authentication failure handlerorg.springframework.security.cas.web.CasAuthenticationFilter$CasAuthenticationFailureHandler@3759a9ae
2016-03-01 15:05:15,206 [tomcat-http--8] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - serviceTicketRequest = false
2016-03-01 15:05:15,206 [tomcat-http--8] DEBUG [unknown] org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
2016-03-01 15:05:15,206 [tomcat-http--8] DEBUG [unknown] org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2016-03-01 15:05:15,229 [tomcat-http--43] DEBUG [unknown] org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/remote/serviceregistry'; against '/rest/**'
2016-03-01 15:05:15,229 [tomcat-http--43] DEBUG [unknown] org.springframework.security.web.FilterChainProxy - /remote/ServiceRegistry?ticket=ST-14-TDKoUS4ESa1E0aE4UYuk-cas at position 1 of 15 in additional filter chain; firing Filter: 'ApplicationNameFilter'
2016-03-01 15:05:15,229 [tomcat-http--43] DEBUG [unknown] org.springframework.security.web.FilterChainProxy - /remote/ServiceRegistry?ticket=ST-14-TDKoUS4ESa1E0aE4UYuk-cas at position 2 of 15 in additional filter chain; firing Filter: 'CsrfRefererCheckerFilter'
2016-03-01 15:05:15,229 [tomcat-http--43] DEBUG [unknown] org.springframework.security.web.FilterChainProxy - /remote/ServiceRegistry?ticket=ST-14-TDKoUS4ESa1E0aE4UYuk-cas at position 3 of 15 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2016-03-01 15:05:15,229 [tomcat-http--43] DEBUG [unknown] org.springframework.security.web.FilterChainProxy - /remote/ServiceRegistry?ticket=ST-14-TDKoUS4ESa1E0aE4UYuk-cas at position 4 of 15 in additional filter chain; firing Filter: 'LogoutFilter'
2016-03-01 15:05:15,230 [tomcat-http--43] DEBUG [unknown] org.springframework.security.web.FilterChainProxy - /remote/ServiceRegistry?ticket=ST-14-TDKoUS4ESa1E0aE4UYuk-cas at position 5 of 15 in additional filter chain; firing Filter: 'RevokableTokenLogoutFilter'
2016-03-01 15:05:15,230 [tomcat-http--43] DEBUG [unknown] org.springframework.security.web.FilterChainProxy - /remote/ServiceRegistry?ticket=ST-14-TDKoUS4ESa1E0aE4UYuk-cas at position 6 of 15 in additional filter chain; firing Filter: 'SingleSignOutFilter'
2016-03-01 15:05:15,230 [tomcat-http--43] DEBUG [unknown] org.jasig.cas.client.util.CommonUtils - safeGetParameter called on a POST HttpServletRequest for LogoutRequest. Cannot complete check safely. Reverting to standard behavior for this Parameter
2016-03-01 15:05:15,238 [tomcat-http--43] DEBUG [unknown] org.springframework.security.web.FilterChainProxy - /remote/ServiceRegistry?ticket=ST-14-TDKoUS4ESa1E0aE4UYuk-cas at position 7 of 15 in additional filter chain; firing Filter: 'CasAuthenticationFilter'
2016-03-01 15:05:15,238 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - serviceTicketRequest = false
2016-03-01 15:05:15,238 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorConfigured = true
2016-03-01 15:05:15,238 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorRequest = false
2016-03-01 15:05:15,238 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - proxyTicketRequest = true
2016-03-01 15:05:15,238 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - requiresAuthentication = true
2016-03-01 15:05:15,238 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - Request is to process authentication
2016-03-01 15:05:15,238 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorConfigured = true
2016-03-01 15:05:15,238 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - proxyReceptorRequest = false
2016-03-01 15:05:15,238 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - serviceTicketRequest = false
2016-03-01 15:05:15,238 [tomcat-http--43] DEBUG [unknown] org.springframework.security.authentication.ProviderManager - Authentication attempt using com.sas.svcs.security.authentication.provider.AuthenticationProvider
2016-03-01 15:05:15,239 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.authentication.CasAuthenticationProvider - serviceUrl = https://loadbalancerhost.xyz.com/SASWIPClientAccess/remote/ServiceRegistry
2016-03-01 15:05:15,254 [tomcat-http--43] DEBUG [unknown] org.springframework.security.authentication.ProviderManager - Authentication attempt using com.sas.svcs.security.authentication.web.providers.UsernamePasswordCasAuthenticationProvider
2016-03-01 15:05:15,254 [tomcat-http--43] DEBUG [unknown] org.springframework.security.authentication.ProviderManager - Authentication attempt using com.sas.svcs.security.authentication.web.providers.CasTgtAuthenticationProvider
2016-03-01 15:05:15,254 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException:
Ticket does not match the supplied service.
2016-03-01 15:05:15,254 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
2016-03-01 15:05:15,254 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - Delegating to authentication failure handlerorg.springframework.security.cas.web.CasAuthenticationFilter$CasAuthenticationFailureHandler@3759a9ae
2016-03-01 15:05:15,255 [tomcat-http--43] DEBUG [unknown] org.springframework.security.cas.web.CasAuthenticationFilter - serviceTicketRequest = false
2016-03-01 15:05:15,255 [tomcat-http--43] DEBUG [unknown] org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler - No failure URL set, sending 401 Unauthorized error
2016-03-01 15:05:15,255 [tomcat-http--43] DEBUG [unknown] org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
The SASLogon9.4.log File
2016-03-01 15:05:15,218 [tomcat-http--39] INFO org.jasig.cas.CentralAuthenticationServiceImpl - Granted service ticket [ST-14-TDKoUS4ESa1E0aE4UYuk-cas] for service [http://midtier02.xyz.com:7980/SASWIPClientAccess/remote/ServiceRegistry] for user [sasdemo]
2016-03-01 15:44:02,924 [tomcat-http--39] DEBUG org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler - Attempting to resolve credentials for [callbackUrl: http://midtier02.xyz.com:7080/j_spring_cas_security_proxyreceptor]
To resolve this issue, perform the following workaround:
- Locate the parameter shown below in the identity-services.properties file, which resides in the
SAS-configuration-directory/Lev1/Web/SASEnvironmentManager/server-5.8.0-EE/hq-engine/hq-server/webapps/ROOT/WEB-INF/classes/ directory. In the url.base= property below,replace middle-tier-host-name with the actual proxyHost= and do the same where you replace webserver_port with the actual, configured proxyPort= value that appears in the server.xml file in SAS-configuration-directory/Lev1/Web/WebAppServer/SASServer1_1/conf/server.xml
url.base=http\://middle-tier-host-name\:webserver_port/ - Locate the following HTML parameter in the security-web-context.xml file, which resides in the SAS-configuration-directory/Lev1/Web/SASEnvironmentManager/server-5.8.0-EE/hq-engine/hq-server/webapps/ROOT/WEB-INF/spring/ directory. Make sure that the attributes in this parameter both point to port 7080, as shown below.
<constructor-arg value="http://middle-tier-host-name:7980/SASLogon/logout?sas_svcs_logon_LogonUrl=http%3A%2F%2Fmiddle-tier-host-name%3A:7080%2F" /> value="http://middle-tier-host-name:7080/j_spring_cas_security_check"/> <property name="serviceUrl" value="http://middle-tier-host-name:7080/j_spring_cas_security_check" /> value="http://middle-tier-host-name:7080/j_spring_cas_security_proxyreceptor"/>Note: The security-web-context.xml configuration case discussed above is for when the web tier, including SAS® 9.4 Environment Manager, is configured without the Secure Sockets Layer (SSL) protocol (or when SSL is disabled). For the configuration with SSL enabled, the default SSL port for SAS 9.4 Environment Manager is 7443, and for the web server, the port is 443. (Also for SSL ports that are not the default ports, the HTML tag should point to the non-default ports.) However, if you have an HTTP configuration (instead of SSL), then by default, the port for SAS 9.4 Environment Manager is 7080.
- Change the URL context for the internal URI service for SAS Environment Manager by performing the following steps. Make sure that the port number is set to 7080.
- In SAS Management Console, select Application Management ► Configuration Manager ► SAS Application Infrastructure.
- Right-click DP-SAS-Environment-Managermiddle-tier-host-name and select Properties.
- In the properties dialog box, click the Internal Connection tab. On this tab:
- Change the value for Port Number to 7080
- Change the value for Service to /SASEnvironmentManager.
Note: By default, the Service value is set to /.
- Stop all of the middle-tier services, including SAS Environment Manager Server and the agent process, and restart the services. Once you restart the services, the problem should be resolved.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Web Infrastructure Platform | Microsoft® Windows® for x64 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 |
| Microsoft Windows 8 Enterprise 32-bit | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows 8 Enterprise x64 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows 8 Pro 32-bit | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows 8 Pro x64 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows 8.1 Enterprise 32-bit | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows 8.1 Enterprise x64 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows 8.1 Pro | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows 8.1 Pro 32-bit | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows 10 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2008 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2008 R2 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2008 for x64 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2012 Datacenter | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2012 R2 Datacenter | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2012 R2 Std | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Microsoft Windows Server 2012 Std | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Windows 7 Enterprise 32 bit | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Windows 7 Enterprise x64 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Windows 7 Home Premium 32 bit | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Windows 7 Home Premium x64 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Windows 7 Professional 32 bit | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Windows 7 Professional x64 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Windows 7 Ultimate 32 bit | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Windows 7 Ultimate x64 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| 64-bit Enabled AIX | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| 64-bit Enabled Solaris | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| HP-UX IPF | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Linux for x64 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||
| Solaris for x64 | 9.4_M3 | 9.4_M4 | 9.4 TS1M3 | 9.4 TS1M4 | ||