When you use Kerberos Constrained-Delegation in SAS Viya 3.5, the expiration of the ticket made available to the compute server might not reflect the full ticket lifetime in the Kerberos configuration.

This issue can cause SAS sessions to start successfully but be unable to connect to downstream Kerberos-secured processes.

This issue occurs because the ticket expiration is based on the ticket from SAS Launcher Server that it uses to obtain a delegated ticket for the user, and the SAS Launcher Server does not renew this ticket until it has expired by default.

A workaround is to start a new SAS session.

Click the Hot Fix tab in this note for a link to instructions about accessing and applying the software update.

Post Hot Fix Instructions

The hot fix adds a configuration environment variable: SAS_CRED_RENEW_INTERVAL.

When this variable is unset or set to a negative integer, the default behavior continues.

When it is set to a positive integer n, the SAS Launcher Server renews its Kerberos ticket every n seconds.

When it is set to zero (0), the SAS Launcher Server renews its Kerberos ticket with each inbound request.

To set this variable, complete the following steps:

1. Source the consul.conf configuration file:

2. Run the sas-bootstrap-config command to add the environment variable to the SAS^® Configuration Server:

3. Restart the SAS Launcher Server on any ComputeServer hosts:

Operating System and Release Information

Viya on Linux: An update for this issue is available for SAS Viya 3.5. For instructions on how to access and apply software updates, see the Updating Your SAS Viya software section in the SAS Viya 3.5 for Linux Deployment Guide at