Skip to main content

Integrated Windows Authentication IWA connection steps in SAS

Integrated Windows Authentication is one of the commonly used authentication service if SAS Platform runs on Windows server. In this article let's see what happens behind the scene when your SAS platform authenticate using IWA.

Connection Using Integrated Windows Authentication


Let's see what happens in each step that is shown in above image.
1. User attempts to login in SAS client application which can be SAS Management Console Or SAS Enterprise Guide. In the process user will provide the user ID and password. The credential is passed to Windows.
2. Windows will check whether the user ID and password combination is right or wrong. It will authenticate and provides a token to SAS application (SAS EG) if the combination correct.
3. SAS application will send the token to Metadata Server. It doesn't send user's password to Metadata Server, only token is sent.
4. Metadata Server needs user id for authentication. So it sends the token to Windows and asks for the user id that belongs to the token.
5. Windows verify whether the token is valid or not. If valid then user id of the token is passed to Metadata Server.
6. Metadata Server checks whether the user id is there in Metadata Repository. If the user id is present then he/she is sasuser else public user.
7. Metadata repository will return the repository ACT of the user. Based on the ACT the user level of access is determined.
8. Metadata Server will accept request from SAS client application that attempted to connect.

What is different from host based authentication?


You might noticed that the last 3 steps was same as host based authentication. The process will be always the same once Metadata Server receives user ID to authorize. The initial steps are different, it does communication using token for authentication.  
In Integrated Windows Authentication (IWA), Metadata Server does two authentication phase:
  • Verification Phase 
  • Identification phase

In verification phase, Metadata Server send the token recieved from SAS application to Windows Authentication. Windows Authentication does the verfication and returns user ID if the token is correct. This phase occurs only in IWA based authentication. The 4 and 5th step in above diagram is the verification phase.
In identification phase, Metadata Server will send user ID to Metadata Repository and check whether the user ID is valid or not. This phase will be common in all authentication model which we call as inbound login. The 6 and 7th step in above diagram is identification phase. 

Comments

Post a Comment

Popular posts from this blog

Insufficient authorization to access PIPE error in SAS EG

Issue: When I tried to run SAS code in SAS Enterprise Guide it throws following errors: ERROR: Insufficient authorization to access PIPE. ERROR: Error in the FILENAME statement. Screenshot of error: Solution: This error occurs when you try to run OS commands in SAS code. To run the OS commands in SAS code you need to enable XCMD option. You check it in SAS Management Console by following below steps.   Open SMC -> Expand Servers -> Expand   In SASApp , expand Logical Workspace Server -> right click on Workspace Server. Click properties -> option tab -> advanced options -> launch properties. Check whether Allow XCMD is checked. The issue arises if the Allow XCMD is not checked. In above image, Allow XCMD option is not checked. It should be checked to run OS commands from SAS code. In Unix /Linux machines, this XCMD option can be enabled by using system option XCMD in sasv9 config file or workspaceserver.sh script f...
2 comments
Read more

The authentication server is not SETUID ROOT error in SAS

Question: When validating the SAS Server from SAS Management Console, I received the following error: The authentication server is not SETUID ROOT.  So, I ran the setuid.sh utility and restarted the services many times. I just checked the elssrv sasauth sasperm setuid bit. There were no error in sasauth-debug.log, sasauth-access.log, sasauth-error.log.  Any suggestions? Answer: Please do the following:    1) Run /<SASConfig>/Lev<X>/ObjectSpawner/ObjectSpawner.sh stop  2) Edit /<SASConfig>/Lev<X>/ObjectSpawner/ObjectSpawner.sh and add the code shown below right after SCRIPT=`basename $0`:  if [ -n ""$TKPATH"" ]; then  unset TKPATH  fi   if [ -n ""$TK_PATHLIST"" ]; then  unset TK_PATHLIST  fi    3) Run /<SASConfig>/Lev<X>/ObjectSpawner/ObjectSpawner.sh start  The above code change in ObjectSpawner.sh should fix the issue.
1 comment
Read more

SAS - CLI error trying to establish connection

Issue: User asked me to make a database connectivity to SQL Server. They provided following details SQL server hostname and ip address Database/DSN name Username Password I made entry in ODBC.ini file. You know, SQL Server entries were made in ODBC.ini and Oracle entries were made in TNS.ora file. Everything went fine, took back up of odbc.ini, made entry and saved the file. So to test this connection I ran the libname statement in SAS Enterprise Guide 6.1. It throwed following error. Error Message: My DB team showed that they are able to login   14 GOPTIONS ACCESSIBLE; 15 LIBNAME test ODBC DATASRC=SGE_DS SCHEMA=VST USER=sales PASSWORD=XXXXXXXXX; ERROR: CLI error trying to establish connection: [SAS/ACCESS to SQL Server][ODBC SQL Server Legacy Driver][SQL Server]Login failed for user 'sales'. Solution: First I suspected that Login failed for user 'sales' meant the password provided by DB team was wrong. They responded that they were able to login wi...
3 comments
Read more