|
Security
Scenario: Alternate Authentication Provider
One of the most beneficial ways to use alternative authentication providers
is to run the SAS Metadata Server or OLAP server on UNIX or z/OS with SAS Workspace
Servers and SAS Stored Process Servers deployed on a Windows machine.
If you already have your users set up on a Microsoft Active Directory server,
this type of setup might be a useful scenario to consider for user authentication.
Authenticating users against the Microsoft Active Directory services
minimizes the number of accounts you would be required to create on a UNIX or z/OS machine.
This type of scenario provides the following benefits:
speed, flexibility, and excellent response time due to running the SAS
Metadata Server on a large, multi-processor, 64-bit UNIX or z/OS server.
An OLAP server can also authenticate against Microsoft Active Directory; therefore, it would
also be beneficial to deploy an OLAP server on UNIX or z/OS for this scenario.
with the exception of the user account definition for the invoker of the SAS Metadata Server,
there will be no requirements for user accounts on the server-tier UNIX or z/OS server.
for each user, a requirement for only one Windows account definition;
this account can also be used to host-authenticate users that connect to
SAS Workspace Servers or SAS Stored Process Servers deployed on Windows.
The following scenario provides an example of how to configure such a setup by
showing an example of how to enable the Microsoft
Active Directory alternative authentication provider to authenticate
users for a SAS Metadata Server on UNIX. The scenario consists of the following:
a SAS Metadata Server that runs on a UNIX host system.
Normally, in order to create users for host authentication, you would
need to set up user accounts for your users on the UNIX host system.
However, if your users are already defined in Active Directory,
you can use a Microsoft Active Directory server to authenticate users of the SAS Metadata Server.
Microsoft Active Directory server that contains users in the Raleigh domain.
To configure this scenario, follow these steps:
Ensure that all users are defined on the Microsoft Active Directory server.
Start the SAS Metadata Server with the following startup script:
export AD_PORT=389
export AD_HOST=myMachine.myCompany.com
"/sasv91/sas.exe" -log "/sasoma/logs/sasoma.log"
-logparm "write=immediate" -linesize max
-pagesize max -noterminal -memsize 0
-authproviderdomain (ADIR: ADIRDomain)
-objectserver -objectserverparms "protocol=bridge
port=XXXX classfactory=2887E7D7-4780-11D4-879F-00C04F38F0DB"
Define users in the SAS Metadata Server as follows:
For Microsoft Active Directory authentication:
For host authentication:
Ensure that users log on with the appropriate login credentials:
The authentication process will then work as follows:
- The SAS Metadata Server is started with the
AUTHPD ADIR:ADIRDomain option.
- A user logs on with the login credentials
Raleigh\ADIRUser1@ADIRDomain .
- The SAS Metadata Server (that was started with the
AUTHPD ADIR:ADIRDomain option)
determines that the @ADIRDOMAIN indicates Active Directory authentication.
- The user
Raleigh\ADIRUser1 is authenticated against Microsoft Active Directory.
- Another user logs on as
UNIXUser1
- The SAS Metadata Server determines that the lack of
@domain indicates host authentication.
- The user
UNIXUser1 is authenticated against the host authentication provider.
For further details about setting up Microsoft Active Directory authentication,
see Implementing Alternative Authentication Providers.
|