Skip to main content

Integrated Windows Authentication IWA connection steps in SAS

Integrated Windows Authentication is one of the commonly used authentication service if SAS Platform runs on Windows server. In this article let's see what happens behind the scene when your SAS platform authenticate using IWA.

Connection Using Integrated Windows Authentication


Let's see what happens in each step that is shown in above image.
1. User attempts to login in SAS client application which can be SAS Management Console Or SAS Enterprise Guide. In the process user will provide the user ID and password. The credential is passed to Windows.
2. Windows will check whether the user ID and password combination is right or wrong. It will authenticate and provides a token to SAS application (SAS EG) if the combination correct.
3. SAS application will send the token to Metadata Server. It doesn't send user's password to Metadata Server, only token is sent.
4. Metadata Server needs user id for authentication. So it sends the token to Windows and asks for the user id that belongs to the token.
5. Windows verify whether the token is valid or not. If valid then user id of the token is passed to Metadata Server.
6. Metadata Server checks whether the user id is there in Metadata Repository. If the user id is present then he/she is sasuser else public user.
7. Metadata repository will return the repository ACT of the user. Based on the ACT the user level of access is determined.
8. Metadata Server will accept request from SAS client application that attempted to connect.

What is different from host based authentication?


You might noticed that the last 3 steps was same as host based authentication. The process will be always the same once Metadata Server receives user ID to authorize. The initial steps are different, it does communication using token for authentication.  
In Integrated Windows Authentication (IWA), Metadata Server does two authentication phase:
  • Verification Phase 
  • Identification phase

In verification phase, Metadata Server send the token recieved from SAS application to Windows Authentication. Windows Authentication does the verfication and returns user ID if the token is correct. This phase occurs only in IWA based authentication. The 4 and 5th step in above diagram is the verification phase.
In identification phase, Metadata Server will send user ID to Metadata Repository and check whether the user ID is valid or not. This phase will be common in all authentication model which we call as inbound login. The 6 and 7th step in above diagram is identification phase. 

Comments

Post a Comment

Popular posts from this blog

Insufficient authorization to access PIPE error in SAS EG

Issue: When I tried to run SAS code in SAS Enterprise Guide it throws following errors: ERROR: Insufficient authorization to access PIPE. ERROR: Error in the FILENAME statement. Screenshot of error: Solution: This error occurs when you try to run OS commands in SAS code. To run the OS commands in SAS code you need to enable XCMD option. You check it in SAS Management Console by following below steps.   Open SMC -> Expand Servers -> Expand   In SASApp , expand Logical Workspace Server -> right click on Workspace Server. Click properties -> option tab -> advanced options -> launch properties. Check whether Allow XCMD is checked. The issue arises if the Allow XCMD is not checked. In above image, Allow XCMD option is not checked. It should be checked to run OS commands from SAS code. In Unix /Linux machines, this XCMD option can be enabled by using system option XCMD in sasv9 config file or workspaceserver.sh script f...
2 comments
Read more

SAS - CLI error trying to establish connection

Issue: User asked me to make a database connectivity to SQL Server. They provided following details SQL server hostname and ip address Database/DSN name Username Password I made entry in ODBC.ini file. You know, SQL Server entries were made in ODBC.ini and Oracle entries were made in TNS.ora file. Everything went fine, took back up of odbc.ini, made entry and saved the file. So to test this connection I ran the libname statement in SAS Enterprise Guide 6.1. It throwed following error. Error Message: My DB team showed that they are able to login   14 GOPTIONS ACCESSIBLE; 15 LIBNAME test ODBC DATASRC=SGE_DS SCHEMA=VST USER=sales PASSWORD=XXXXXXXXX; ERROR: CLI error trying to establish connection: [SAS/ACCESS to SQL Server][ODBC SQL Server Legacy Driver][SQL Server]Login failed for user 'sales'. Solution: First I suspected that Login failed for user 'sales' meant the password provided by DB team was wrong. They responded that they were able to login wi...
2 comments
Read more

Insufficient authorization to access prgramname.lst

Issue: I had an issue with batch server. The code runs fine in SAS EG and SAS DI Studio but fails when I run with batchserver. Error seems to be ERROR: Insufficient authorization to access /opt/sasinside/Lev1/SASApp/Sas_Program.lst. NOTE: The SAS System stopped processing this step because of errors. Solution: When you execute on batch mode sas tries to save the output file (Sas_Program.lst) under /opt/sasinside/Lev1/SASApp where is no permission to write. We should add two system options to sasv9_usermods.cfg file to redirect this outputs to another directory. The options are following: -altprint <directory>  -print <directory> Where directory is a directory where you have access to write. You must provide this directory. The directory can be some shared location like: /share/sas/lst. If you decide to add this options these are the steps to follow: 1. Create or choose a driectory where your userid have write access. The userid is the ...
Post a Comment
Read more