SUPPORT / SAMPLES & SAS NOTES
 

Support

Problem Note 66937: You see a "Kerberos failure" message after you set up Integrated Windows Authentication and single sign-on for SAS® 9.4M7 (TS1M7)

DetailsHotfixAboutRate It

When you set up Integrated Windows Authentication (IWA) and single sign-on (SSO) with Kerberos on SAS 9.4M7, you see the following message in the logs for the SAS® Metadata Server and SAS Object Spawner: 

Kerberos failure in function krb5_get_init_creds_keytab: Client 'SAS/metadata.host.com@REALM.COM' not found in Kerberos database

The error appears because the User Principal Name (UPN) is different from the Service Principal Name (SPN) in Microsoft Active Directory.

As a workaround, you must tell SAS which principal name to use to initialize the credential. To define the principal, take the following steps for the environment variable SAS_SERVICE_PRINCIPAL:

  1. Add the following information in the level_env_usermods.sh file in SAS-configuration-directory/Lev#/:

    SAS_SERVICE_PRINCIPAL=user-name@REALM.COM
    export SAS_SERVICE_PRINCIPAL

     
  2. Restart both SAS Metadata Server and SAS Object Spawner.

Setting the SAS_SERVICE_PRINCIPAL variable works only when the Kerberos keytab contains either just the UPN or both the UPN and SPN. However, if the Kerberos keytab contains only the SPN, then Kerberos authentication will still fail, because the keytab does not contain the long-term keys for the UPN that can enable SAS to initialize a Kerberos credential. The Kerberos keytab needs to be regenerated in order to include the UPN as well.

Alternatively, you can modify the service account and set the UPN to be the same as the SPN.

Click the Hot Fix tab in this note to access the hot fix for this issue.



Operating System and Release Information

Product FamilyProductSystemProduct ReleaseSAS Release
ReportedFixed*ReportedFixed*
SAS SystemSAS Integration TechnologiesMicrosoft® Windows® for x649.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows 8 Enterprise 32-bit9.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows 8 Enterprise x649.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows 8 Pro 32-bit9.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows 8 Pro x649.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows 8.1 Enterprise 32-bit9.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows 8.1 Enterprise x649.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows 8.1 Pro 32-bit9.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows 8.1 Pro x649.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows 109.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows Server 20089.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows Server 2008 R29.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows Server 2008 for x649.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows Server 2012 Datacenter9.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows Server 2012 R2 Datacenter9.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows Server 2012 R2 Std9.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows Server 2012 Std9.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows Server 20169.4_M79.4_M89.4 TS1M79.4 TS1M8
Microsoft Windows Server 20199.4_M79.4_M89.4 TS1M79.4 TS1M8
Windows 7 Enterprise 32 bit9.4_M79.4_M89.4 TS1M79.4 TS1M8
Windows 7 Enterprise x649.4_M79.4_M89.4 TS1M79.4 TS1M8
Windows 7 Home Premium 32 bit9.4_M79.4_M89.4 TS1M79.4 TS1M8
Windows 7 Home Premium x649.4_M79.4_M89.4 TS1M79.4 TS1M8
Windows 7 Professional 32 bit9.4_M79.4_M89.4 TS1M79.4 TS1M8
Windows 7 Professional x649.4_M79.4_M89.4 TS1M79.4 TS1M8
Windows 7 Ultimate 32 bit9.4_M79.4_M89.4 TS1M79.4 TS1M8
Windows 7 Ultimate x649.4_M79.4_M89.4 TS1M79.4 TS1M8
64-bit Enabled AIX9.4_M79.4_M89.4 TS1M79.4 TS1M8
64-bit Enabled Solaris9.4_M79.4_M89.4 TS1M79.4 TS1M8
HP-UX IPF9.4_M79.4_M89.4 TS1M79.4 TS1M8
Linux for x649.4_M79.4_M89.4 TS1M79.4 TS1M8
Solaris for x649.4_M79.4_M89.4 TS1M79.4 TS1M8
* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.