SAS 9.1.3 Integration Technologies » Server Administrator's Guide


Implementing Authentication
Host Authentication
Setting the System Permissions on:
Windows NT
Windows 2000
Windows XP
UNIX
Specifying Default Host Domains
How Hosts Handle Domains
Trusted Authentication Mechanisms
Alternative Authentication Providers
Specifying Authentication Providers and Domains
How Servers Determine the Authentication Provider
Scenario
Security

How Servers Determine the Authentication Provider

When a user who requires authentication connects to an IOM Server, the server must determine the appropriate authentication provider to use for authentication. When a user connects, he or she might log on with credentials in any of the following formats:

userid
userid@domain
domain\userid
userid@AUTHPROVIDERDOMAIN
userid@domain@AUTHPROVIDERDOMAIN
domain\userid@AUTHPROVIDERDOMAIN
domain/userid@AUTHPROVIDERDOMAIN
The server determines the authentication provider as follows:

How Servers Determine the Authentication Provider
Condition Result
The server was started with the AUTHPROVIDERDOMAIN option and is a SAS Metadata Server or SAS OLAP Server.
  • if the user specified an authentication provider domain that matches an assigned authentication provider domain, the associated provider is used for authentication.
  • if the user specified an authentication provider domain that does not match an assigned provider domain or if the user did not specify an authentication provider domain, the host authentication provider for the server's machine is used.
The server was started without the AUTHPROVIDERDOMAIN option. the host authentication provider for the server's machine is used.

Understanding How Authentication Providers Handle Domains

When a user's credentials are authenticated, the domain allows the user credentials to be further qualified in order to determine an identity for authorization purposes. However, a user might need to specify a domain (or machine name) when they log on:

  • For Windows host authentication, your host users might specify domains when they log on.

  • For host authentication, host users do not typically specify domains when they log on.

  • For LDAP and Microsoft Active Directory authentication, the LDAP or Active Directory user must specify an authentication provider domain in order to associate that domain with an authentication provider. The server uses the AUTHPROVIDERDOMAIN option to enable LDAP or Active Directory users in that domain to use LDAP or Active Directory as the authentication provider. The user might also specify a security domain for the LDAP or Active Directory provider.

Depending on the type of authentication provider, domains are handled as follows:

Windows Host Authentication

For Windows host authentication:

  • If users specify a domain when they log on, the Windows host returns that user domain (or machine name if it is a local account) for use in determining an identity for authorization.

  • If users do not specify a domain when they log on, the Windows host system handles the lack of domain as follows:

    • If the server was started with the AUTHPROVIDERDOMAIN system option to associate a domain with the HOSTUSER, the Windows host authentication returns this domain for use in determining an identity for authorization.

    • If the server was not started with the AUTHPROVIDERDOMAIN system option, the host authentication provider looks through all of the domains (searching the local machine first) for a match on the user ID. If a user ID match is found, the associated domain is returned.

    Note: On Windows systems, if the AUTHSERVER option associates a domain with the HOSTUSER, the Windows host authentication returns this domain as the default domain. If both AUTHPROVIDERDOMAIN and AUTHSERVER are specified, the option that was specified first takes precedence.

Host Authentication on Systems other than Windows
For host authentication on systems other than Windows, users do not typically specify a domain when they log on. However, the host can return a domain for use in determining an identity for authorization as follows:

  • If the AUTHPROVIDERDOMAIN option was specified with a domain for the HOSTUSER, the host authentication returns this domain for use in determining an identity for authorization.

  • If the AUTHPROVIDERDOMAIN was not specified, the host authentication does not return a domain.

LDAP or Microsoft Active Directory Authentication
For LDAP or Microsoft Active Directory authentication, if LDAP or Active Directory users do not specify a domain when they log on, the LDAP or Active Directory provider returns the domain as follows:

  • If the user ID that is stored in LDAP or Active Directory contains a domain (for example, ABC\Tom), that domain is returned for use in authorization.

  • If the user ID that is stored in LDAP or Active Directory does not contain a domain (for example, Tom), the LDAP or Active Directory domain that is specified on the AUTHPROVIDERDOMAIN option is returned for use in authorization.

To understand how you define corresponding logins (fully qualified user IDs, passwords (optional), and authentication domains) for the user and group definitions on the SAS Metadata Server, see Defining Users, Groups, and Logins on the SAS Metadata Server.