Authentication Mechanisms

Host Authentication

Host Authentication (Credential-Based)
Summary	A client supplies an external user ID and password to a SAS server. The SAS server passes the credentials to its host for authentication.¹
Scope	Primarily used for direct connections to the metadata server and the OLAP server. Not used for metadata-aware connections to the OLAP server or the stored process server. Sometimes used for connections to the workspace server.
Benefits	No configuration is required. Can enable users to log on to SAS applications with the same credentials that they use in your general computing environment.
Limits	On a workspace server on Windows, requires that users have the Log on as a batch job privilege. See Windows Privileges. Involves passing user IDs and passwords across the network.
Use	Always available
1 Another form of host authentication, Integrated Windows authentication (IWA), is documented separately.

The following figure shows one example of how this mechanism works:

Host Authentication (credential-based)

[Host Authentication (credential-based)]

The numbers in the figure correspond to these actions:

The client obtains the user's ID and password (interactively or through credential management). The client sends those credentials to the target server.
The server passes the credentials to its host for authentication.
The host passes the credentials to its authentication provider.
After verifying that the user ID and password correspond to a valid account, the host's authentication provider returns the user's ID to the host.
The host returns the user's ID to the SAS server.
The server accepts the client connection.

	About the Workspace Server's Options Tab
	Integrated Windows Authentication
	Authentication to the Metadata Server