Problem:

When you are connecting to a SAS Viya 3.5 legacy SAS^®9 runtime workspace server using Integrated Windows Authentication (IWA) and have constrained delegation configured, the sas.exe process does not run under the trusted identity running the SAS object spawner. This issue occurs when you use SAS Enterprise Guide 8.2 and/or 8.3 releases. This configuration is noted in the bottom section of Configure Kerberos Constrained Delegation for SAS Launcher Server and SAS Object Spawner.

Note: After constrained delegation is enabled, all SAS^® Compute Server processes and all SAS^® Cloud Analytic Services session processes run as the same user ID, as SAS^® Launcher Server and SAS Cloud Analytic Services, respectively. The internal threads of each process impersonate the client user ID. Therefore, they have the same rights and privileges as the client user.
 

Solution:

Click the Hot Fix tab in this note for a link to instructions about accessing and applying the software update.

Operating System and Release Information

Viya on Windows: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Windows Deployment Guide at