Previous Page | Next Page

Authentication Tasks

How to Force Use of Kerberos

If you choose to use the SAS implementation of Integrated Windows authentication (IWA), and you need to ensure that the Kerberos protocol is always used, complete the following instructions. These instructions assume that you have already completed the steps in How to Configure Integrated Windows Authentication.

Note:   You can't use local accounts with this configuration, because local accounts can't use Kerberos.  [cautionend]

  1. Specify -secpackagelist "Kerberos" in your equivalent of the following locations:

    • SAS\Config\Lev1\SASMeta\MetadataServer\sasv9_usermods.cfg (for the metadata server)

    • SAS\Config\Lev1\SASApp\OLAPServer\sasv9_usermods.cfg (if you need to support direct IWA connections to an OLAP server on Windows)

    • SAS\Config\Lev1\ObjectSpawner\ObjectSpawner.bat (if the object spawner is on Windows). If the spawner runs as a service, complete these steps:

      1. From the Windows Start menu, select Programs [arrow] SAS [arrow] SAS Configuration [arrow] <Level> [arrow] Object Spawner - Stop.

      2. From the object spawner's configuration directory, type: 

        ObjectSpawner.bat -remove

      3. Add the -secpackagelist "Kerberos" setting to the Set CMD_OPTIONS= line of ObjectSpawner.bat. Also, make sure that the -sspi setting is present.

      4. To reinstall the spawner service, type: 

        ObjectSpawner.bat -install

  2. If the workspace server is on Windows, make sure that its metadata definition includes only Kerberos in the Security package list field. This setting is located in SAS Management Console, on the Plug-ins tab under Server Manager. The setting is on the Options tab of the logical workspace server definition.

    Note:   If the workspace server accesses network resources (such as UNC pathnames), you must also mark the account under which the spawner runs as trusted for delegation. See Windows Privileges.  [cautionend]

  3. Restart the metadata server.

In general, it is not necessary to also change the default IWA setting in client-side connection profiles. If a server accepts only Kerberos, then clients with the default setting of Negotiate (and both Kerberos and NTLM in the security package list) use Kerberos. However, in some circumstances, the client's Windows system chooses to initiate communication using NTLM and is unable to comply with the server requirement by switching to Kerberos. For example, if the client and server are on the same machine, the client chooses NTLM. In these circumstances, you must adjust the client-side settings to specify only Kerberos.

Note:   In their 4.2 and earlier releases, SAS Enterprise Guide and the SAS Add-In for Microsoft Office don't expose the advanced IWA settings.  [cautionend]

Note:   If your SAS servers use DNS aliases, you must manually register those aliases in order to support Kerberos-based IWA connections. See the discussion of custom SPNs in Integrated Windows Authentication Settings.  [cautionend]

Previous Page | Next Page | Top of Page

Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.