68616 - IWA/Kerberos authentication issues occur after you apply the Microsoft Windows Server November 9, 2021 Security Update

Problem Note 68616: IWA/Kerberos authentication issues occur after you apply the Microsoft Windows Server November 9, 2021 Security Update

If you have a SAS^®9 or SAS^® Viya^® 3.5 and earlier environment that uses the following, you might encounter the issue described below:

Windows 2019 Servers and you apply the November 9th, 2021 Microsoft Windows Security Update: KB5007206 (OS Build 17763.2300)
Windows 2016 Servers and you apply the November 9th, 2021 Microsoft Windows Security Update: KB5007192 (OS Build 14393.4770)

SAS^®9 Error Example:

When you run code in SAS applications (SAS^® Enterprise Guide^®, SAS^® Data Integration Studio, SAS^® Visual Analytics, and so on), the code fails and produces an error similar to the following:

ERROR: Undetermined I/O failure.

SAS^® Viya^® 3.5 and earlier Error Examples:

When you run code in SAS Visual Analytics, the code fails and produces an error similar to the following:

An error occurred while loading data. The data source is closed. Probably due to socket timeout or premature shutdown of the data source.

SAS^® Studio V logon fails and produces an error similar to the following:

Kerberos handshake error.

In this scenario, the SAS Launcher Service log shows messages similar to the following:

2021-11-15 08:35:31.912 ERROR 44396 --- [o-auto-1-exec-9] com.sas.commons.rest.ExceptionLog        : UserID [4d4c8692514e78ac]   caused by: com.sas.launcher.error.LauncherRuntimeException: Kerberos handshake error.

2021-11-15 08:35:31.912 ERROR 44396 --- [o-auto-1-exec-9] com.sas.commons.rest.ExceptionLog        : UserID [4d4c8692514e78ac]   caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))

2021-11-15 08:35:31.912 ERROR 44396 --- [o-auto-1-exec-9] com.sas.commons.rest.ExceptionLog        : UserID [4d4c8692514e78ac]   caused by: sun.security.krb5.KrbException: Message stream modified (41)

2021-11-15 08:35:31.912 ERROR 44396 --- [o-auto-1-exec-9] com.sas.commons.rest.ExceptionLog        : UserID [4d4c8692514e78ac]   caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)

Solution:

Windows 2019 Servers: Apply Microsoft Windows November 14th, 2021 out-of-band hot fix: KB5008602(OS Build 17763.2305) on the Domain Controller.

Windows 2016 Servers: Apply Microsoft Windows November 14th, 2021 out-of-band hot fix: KB5008601 (OS Build 14393.4771) on the Domain Controller.

Hot fix Information from Microsoft: This hot fix addresses a known issue that might cause authentication failures related to Kerberos tickets that you acquired from Service for User to Self (S4U2self). This issue occurs after you install the November 9, 2021 security updates on domain controllers (DC) that are running Windows Server.

Operating System and Release Information

Product Family	Product	System	SAS Release
			Reported	Fixed*
SAS System	N/A	Microsoft Windows Server 2019
		Microsoft Windows Server 2016

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

Type:	Problem Note
Priority:	alert

Date Modified:	2021-11-18 16:00:31
Date Created:	2021-11-18 10:55:32

Support

Problem Note 68616: IWA/Kerberos authentication issues occur after you apply the Microsoft Windows Server November 9, 2021 Security Update

SAS®9 Error Example:

SAS® Viya® 3.5 and earlier Error Examples:

Solution:

Operating System and Release Information

SAS^®9 Error Example:

SAS^® Viya^® 3.5 and earlier Error Examples: