Problem Note 66937: You see a "Kerberos failure" message after you set up Integrated Windows Authentication and single sign-on for SAS® 9.4M7 (TS1M7)
When you set up Integrated Windows Authentication (IWA) and single sign-on (SSO) with Kerberos on SAS 9.4M7, you see the following message in the logs for the SAS® Metadata Server and SAS Object Spawner:
Kerberos failure in function krb5_get_init_creds_keytab: Client 'SAS/metadata.host.com@REALM.COM' not found in Kerberos database
The error appears because the User Principal Name (UPN) is different from the Service Principal Name (SPN) in Microsoft Active Directory.
As a workaround, you must tell SAS which principal name to use to initialize the credential. To define the principal, take the following steps for the environment variable SAS_SERVICE_PRINCIPAL:
- Add the following information in the level_env_usermods.sh file in SAS-configuration-directory/Lev#/:
SAS_SERVICE_PRINCIPAL=user-name@REALM.COM
export SAS_SERVICE_PRINCIPAL
- Restart both SAS Metadata Server and SAS Object Spawner.
Setting the SAS_SERVICE_PRINCIPAL variable works only when the Kerberos keytab contains either just the UPN or both the UPN and SPN. However, if the Kerberos keytab contains only the SPN, then Kerberos authentication will still fail, because the keytab does not contain the long-term keys for the UPN that can enable SAS to initialize a Kerberos credential. The Kerberos keytab needs to be regenerated in order to include the UPN as well.
Alternatively, you can modify the service account and set the UPN to be the same as the SPN.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
SAS System | SAS Integration Technologies | Microsoft® Windows® for x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows 8 Enterprise 32-bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows 8 Enterprise x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows 8 Pro 32-bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows 8 Pro x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows 8.1 Enterprise 32-bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows 8.1 Enterprise x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows 8.1 Pro 32-bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows 8.1 Pro x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows 10 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows Server 2008 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows Server 2008 R2 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows Server 2008 for x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows Server 2012 Datacenter | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows Server 2012 R2 Datacenter | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows Server 2012 R2 Std | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows Server 2012 Std | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows Server 2016 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows Server 2019 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Windows 7 Enterprise 32 bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Windows 7 Enterprise x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Windows 7 Home Premium 32 bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Windows 7 Home Premium x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Windows 7 Professional 32 bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Windows 7 Professional x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Windows 7 Ultimate 32 bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Windows 7 Ultimate x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
64-bit Enabled AIX | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
64-bit Enabled Solaris | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
HP-UX IPF | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Linux for x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Solaris for x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
This issue occurs when the Service Principal Name is different from the User Principal Name.
Type: | Problem Note |
Priority: | high |
Date Modified: | 2021-02-03 14:54:58 |
Date Created: | 2020-11-16 03:56:59 |