When you set up Integrated Windows Authentication (IWA) and single sign-on (SSO) with Kerberos on SAS 9.4M7, you see the following message in the logs for the SAS® Metadata Server and SAS Object Spawner:
The error appears because the User Principal Name (UPN) is different from the Service Principal Name (SPN) in Microsoft Active Directory.
As a workaround, you must tell SAS which principal name to use to initialize the credential. To define the principal, take the following steps for the environment variable SAS_SERVICE_PRINCIPAL:
Setting the SAS_SERVICE_PRINCIPAL variable works only when the Kerberos keytab contains either just the UPN or both the UPN and SPN. However, if the Kerberos keytab contains only the SPN, then Kerberos authentication will still fail, because the keytab does not contain the long-term keys for the UPN that can enable SAS to initialize a Kerberos credential. The Kerberos keytab needs to be regenerated in order to include the UPN as well.
Alternatively, you can modify the service account and set the UPN to be the same as the SPN.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Product Family | Product | System | Product Release | SAS Release | ||
Reported | Fixed* | Reported | Fixed* | |||
SAS System | SAS Integration Technologies | Microsoft® Windows® for x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |
Microsoft Windows 8 Enterprise 32-bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows 8 Enterprise x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows 8 Pro 32-bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows 8 Pro x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows 8.1 Enterprise 32-bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows 8.1 Enterprise x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows 8.1 Pro 32-bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows 8.1 Pro x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows 10 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows Server 2008 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows Server 2008 R2 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows Server 2008 for x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows Server 2012 Datacenter | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows Server 2012 R2 Datacenter | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows Server 2012 R2 Std | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows Server 2012 Std | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows Server 2016 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Microsoft Windows Server 2019 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Windows 7 Enterprise 32 bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Windows 7 Enterprise x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Windows 7 Home Premium 32 bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Windows 7 Home Premium x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Windows 7 Professional 32 bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Windows 7 Professional x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Windows 7 Ultimate 32 bit | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Windows 7 Ultimate x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
64-bit Enabled AIX | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
64-bit Enabled Solaris | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
HP-UX IPF | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Linux for x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 | ||
Solaris for x64 | 9.4_M7 | 9.4_M8 | 9.4 TS1M7 | 9.4 TS1M8 |