SAS 9.1.3 Integration Technologies » Server Administrator's Guide

Implementing Authentication
Host Authentication
Setting the System Permissions on:
Windows NT
Windows 2000
Windows XP
Specifying Default Host Domains
How Hosts Handle Domains
Trusted Authentication Mechanisms
Alternative Authentication Providers
Specifying Authentication Providers and Domains
How Servers Determine the Authentication Provider

Scenario: Alternate Authentication Provider

One of the most beneficial ways to use alternative authentication providers is to run the SAS Metadata Server or OLAP server on UNIX or z/OS with SAS Workspace Servers and SAS Stored Process Servers deployed on a Windows machine. If you already have your users set up on a Microsoft Active Directory server, this type of setup might be a useful scenario to consider for user authentication. Authenticating users against the Microsoft Active Directory services minimizes the number of accounts you would be required to create on a UNIX or z/OS machine.

This type of scenario provides the following benefits:

  • speed, flexibility, and excellent response time due to running the SAS Metadata Server on a large, multi-processor, 64-bit UNIX or z/OS server. An OLAP server can also authenticate against Microsoft Active Directory; therefore, it would also be beneficial to deploy an OLAP server on UNIX or z/OS for this scenario.

  • with the exception of the user account definition for the invoker of the SAS Metadata Server, there will be no requirements for user accounts on the server-tier UNIX or z/OS server.

  • for each user, a requirement for only one Windows account definition; this account can also be used to host-authenticate users that connect to SAS Workspace Servers or SAS Stored Process Servers deployed on Windows.

The following scenario provides an example of how to configure such a setup by showing an example of how to enable the Microsoft Active Directory alternative authentication provider to authenticate users for a SAS Metadata Server on UNIX. The scenario consists of the following:

  • a SAS Metadata Server that runs on a UNIX host system. Normally, in order to create users for host authentication, you would need to set up user accounts for your users on the UNIX host system. However, if your users are already defined in Active Directory, you can use a Microsoft Active Directory server to authenticate users of the SAS Metadata Server.

  • Microsoft Active Directory server that contains users in the Raleigh domain.

To configure this scenario, follow these steps:

  1. Ensure that all users are defined on the Microsoft Active Directory server.

  2. Start the SAS Metadata Server with the following startup script:

    export AD_PORT=389
    "/sasv91/sas.exe" -log "/sasoma/logs/sasoma.log"
      -logparm "write=immediate" -linesize max
      -pagesize max -noterminal -memsize 0
      -authproviderdomain (ADIR: ADIRDomain)
      -objectserver -objectserverparms "protocol=bridge
      port=XXXX classfactory=2887E7D7-4780-11D4-879F-00C04F38F0DB"
  3. Define users in the SAS Metadata Server as follows:

    For Microsoft Active Directory authentication:

    New login properties for Microsoft Active Directory authentication

    For host authentication:

    New login properties for host authentication

  4. Ensure that users log on with the appropriate login credentials:

    • For Microsoft Active Directory authentication:

      For example, Raleigh\UNIXUser1@ADIRDomain

    • For host authentication:

      For example, UNIXUser1

The authentication process will then work as follows:

  1. The SAS Metadata Server is started with the AUTHPD ADIR:ADIRDomain option.
  2. A user logs on with the login credentials Raleigh\ADIRUser1@ADIRDomain.
  3. The SAS Metadata Server (that was started with the AUTHPD ADIR:ADIRDomain option) determines that the @ADIRDOMAIN indicates Active Directory authentication.
  4. The user Raleigh\ADIRUser1 is authenticated against Microsoft Active Directory.
  5. Another user logs on as UNIXUser1
  6. The SAS Metadata Server determines that the lack of @domain indicates host authentication.
  7. The user UNIXUser1 is authenticated against the host authentication provider.

For further details about setting up Microsoft Active Directory authentication, see Implementing Alternative Authentication Providers.