When you set up Integrated Windows Authentication (IWA) and single sign-on (SSO) with Kerberos on SAS 9.4M7, you see the following message in the logs for the SAS^® Metadata Server and SAS Object Spawner: 

The error appears because the User Principal Name (UPN) is different from the Service Principal Name (SPN) in Microsoft Active Directory.

As a workaround, you must tell SAS which principal name to use to initialize the credential. To define the principal, take the following steps for the environment variable SAS_SERVICE_PRINCIPAL:

1. Add the following information in the level_env_usermods.sh file in SAS-configuration-directory/Lev#/:
   
   SAS_SERVICE_PRINCIPAL=user-name@REALM.COM
   export SAS_SERVICE_PRINCIPAL
    
2. Restart both SAS Metadata Server and SAS Object Spawner.

Setting the SAS_SERVICE_PRINCIPAL variable works only when the Kerberos keytab contains either just the UPN or both the UPN and SPN. However, if the Kerberos keytab contains only the SPN, then Kerberos authentication will still fail, because the keytab does not contain the long-term keys for the UPN that can enable SAS to initialize a Kerberos credential. The Kerberos keytab needs to be regenerated in order to include the UPN as well.

Alternatively, you can modify the service account and set the UPN to be the same as the SPN.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Operating System and Release Information

A fix for this issue for Base SAS 9.4_M7 is available at: