Installation Note 63143: Windows Defender Credential Guard and SAS® Software
 |  |  |  |  |
What is Windows Defender Credential Guard?
What issues occur when Credential Guard is enabled with SAS® products?
SAS® Software support for Credential Guard
Hot Fixes
What is Windows Defender Credential Guard?
Microsoft Corporation introduced a new security feature called Windows Defender Credential Guard in Microsoft Windows 10, Microsoft Windows Server 2016, and Microsoft Windows Server 2019.
To prevent threat and security risks, Windows Defender Credential Guard isolates log-on information for users from the rest of the operating system. Credential Guard uses virtualization to store credentials in protected containers that are separated from the operating system. Thus, the information that Credential Guard protects is safe even when malware or some other malicious attack penetrates the network of an organization.
Credential Guard is not enabled by default. However, it can be enabled using group policies, the Windows registry, or the Windows Defender Device Guard.
When Credential Guard is enabled, Kerberos does not allow unconstrained delegation or Data Encryption Standard (DES) encryption, not only for signed-in credentials, but also for prompted or saved credentials. DES usage has been phased out for some time, because it is no longer a supported and used encryption standard.
What issues occur when Credential Guard is enabled with SAS® products?
When Credential Guard is enabled, many older authentication protocols cannot use signed-in credentials. Thus, single sign-on does not work with these protocols when Credential Guard is also enabled. Impacted protocols include NT LAN Manager (NTLM) version 1, MS-CHAP (the Microsoft version of the Challenge-Handshake Authentication Protocol) version 2, digest authentication, and Credential Security Support Provider protocol (CredSSP). Current SAS products do not use these protocols.
Outbound access to data sources that depend on Kerberos protocol connections is also broken. Data sources that use Kerberos protocol connections include but are not limited to the following:
- Hadoop
- Network File System (NFS)
- SQL Server
In SAS® 9.4 deployments, problems occur with SAS products and solutions in the following scenario:
- Credential Guard is enabled AND
- Integrated Windows Authentication (IWA) is implemented AND
- Windows 10 is the client tier host platform AND
- Windows Server 2012, Windows Server 2016, Windows Server 2019, or UNIX is the host platform.
In SAS® Viya® deployments, problems occur with SAS products and solutions in the following scenarios:
- Credential Guard is enabled, IWA is implemented, AND Windows 10 is the client tier host platform, AND Linux or Windows is the server tier host platform.
- SAS® Viya® 3.4 deployments on Windows require the use of IWA.
SAS® Software support for Credential Guard
SAS has provided enhancements to support constrained delegation, which is required to support Windows Defender Credential Guard. Enhancements to enable constrained delegation have been released as a series of hot fixes. These enhancements are hot fixes for SAS® 9.4M6 (TS1M6). They require SAS 9.4M6 and Java 8 to be deployed. These hot fixes do not apply to releases prior to SAS 9.4M6.
If a hot fix addressing your specific SAS product is not yet available or you are not at the SAS 9.4M6 release level, SAS recommends that you perform one of these actions:
- Disable Credential Guard, OR
- Disable IWA and require users to authenticate at additional points in their sessions.
SAS supports Credential Guard capability with SAS® Viya® 3.5.
SAS® products that are not supported with constrained delegation:
Due to third-party functionality that does not yet support constrained delegation, these SAS products do not currently support Windows Credential Guard functionality:
- SAS/ACCESS® Interface to Hadoop
- SAS/ACCESS® Interface to Impala
- SAS/ACCESS® Interface to JDBC
- SAS/ACCESS® Interface to Oracle
- SAS® Data Loader for Hadoop
- SAS® Plug-ins for Hadoop
- SAS® LASR™ Analytics Server (SAS® 9.4 Visual Analytics)
Note: Currently, constrained delegation is supported only on Linux or Windows host systems, and resource-based constrained delegation is supported only on Windows. Traditional constrained delegation does not support a cross-realm trust. Cross-realm trust is defined as when the front-end service (SAS) is in a different domain than the backend-service, for example Teradata, SQL Server, or a file server. For a cross-realm trust, resource-based constrained delegation is required. However, resource-based constrained delegation is available only on Windows operating systems.
Click the Hot Fix tab in this note to access the hot fixes for this issue.
Hot Fixes
Linux Server:
Hot Fix F4P001 must be applied to your Linux system before other relevant hot fixes in order for the issue in this note to work.
|
Hot Fix |
Operating System |
Products Affected |
|---|---|---|
|
F4P001 (this fix must be applied to the system before other relevant hot fixes in order for the issue in this note to work) |
Linux |
Hot Fix F4P001 enables Windows 10 workstations that are running SAS® Enterprise Guide® and SAS® Studio to use Credential Guard and to access SAS 9.4M6 Integrated Object Model (IOM) servers in SAS® Enterprise Business Intelligence and SAS® Business Intelligence environments when operating on Linux operating systems. |
Windows Server:
Hot Fixes F1E003, F4P001, and E8G002 must be applied to your Windows Server system before other relevant hot fixes in order for the issue in this note to work.
|
Windows Hot Fixes |
Operating System |
Products Affected |
|---|---|---|
|
F1E003, F4P001, and E8G002 (these fixes must be applied to the system before other relevant hot fixes in order for the issue in this note to work) |
Windows Server |
Hot Fixes F1E003, F4P001, and E8G002 enable Windows 10 workstations that are running SAS® Enterprise Guide® and SAS® Studio to use Credential Guard and to access SAS 9.4M6 Integrated Object Model (IOM) servers in SAS® Enterprise Business Intelligence and SAS® Business Intelligence environments when operating on supported Windows Server operating systems. |
Available Product-Specific Fixes
Click the Hot Fix tab in this note to access the hot fixes for these product-specific fixes:
- SAS® Cloud Analytic Services support for third-party clients (needed for Windows only)
- SAS/CONNECT® (needed for Windows only)
- SAS® Enterprise Miner™
- SAS® Forecast Server
- SAS® Text Miner
- SAS® Time Series Studio
- SAS® Workload Orchestrator (needed for Windows only)
Operating System and Release Information
| Product Family | Product | System | SAS Release | |
| Reported | Fixed* | |||
| SAS System | N/A | Linux for x64 | 9.4 TS1M5 | 9.4 TS1M6 |
| Microsoft Windows 10 | 9.4 TS1M5 | 9.4 TS1M6 | ||
| Microsoft Windows Server 2016 | 9.4 TS1M5 | 9.4 TS1M6 | ||
A fix for this issue for Base SAS 9.4_M6 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/D9T.html#F1E003A fix for this issue for Base SAS 9.4_M6 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/D9T.html#F4P001A fix for this issue for SAS Workload Orchestrator and SAS Grid Manager for Platform 9.46 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/E3Y.html#63143A fix for this issue for SAS Time Series Studio 15.1 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/E8A.html#63143A fix for this issue for SAS Forecast Server 15.1 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/E7Z.html#63143A fix for this issue for SAS Enterprise Miner 15.1 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/E5I.html#63143A fix for this issue for SAS Text Miner 15.1 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/E5K.html#63143A fix for this issue for SAS Cloud Analytic Services support for Third Party Clients 9.61 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/F2K.html#63143A fix for this issue for Threaded Kernel IOM 9.4_M6 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/E8G.html#63143| Type: | Installation Note |
| Priority: | high |
| Date Modified: | 2021-03-15 14:52:38 |
| Date Created: | 2018-10-30 17:38:16 |