Skip to main content

Integrated Windows Authentication IWA connection steps in SAS

Integrated Windows Authentication is one of the commonly used authentication service if SAS Platform runs on Windows server. In this article let's see what happens behind the scene when your SAS platform authenticate using IWA.

Connection Using Integrated Windows Authentication


Let's see what happens in each step that is shown in above image.
1. User attempts to login in SAS client application which can be SAS Management Console Or SAS Enterprise Guide. In the process user will provide the user ID and password. The credential is passed to Windows.
2. Windows will check whether the user ID and password combination is right or wrong. It will authenticate and provides a token to SAS application (SAS EG) if the combination correct.
3. SAS application will send the token to Metadata Server. It doesn't send user's password to Metadata Server, only token is sent.
4. Metadata Server needs user id for authentication. So it sends the token to Windows and asks for the user id that belongs to the token.
5. Windows verify whether the token is valid or not. If valid then user id of the token is passed to Metadata Server.
6. Metadata Server checks whether the user id is there in Metadata Repository. If the user id is present then he/she is sasuser else public user.
7. Metadata repository will return the repository ACT of the user. Based on the ACT the user level of access is determined.
8. Metadata Server will accept request from SAS client application that attempted to connect.

What is different from host based authentication?


You might noticed that the last 3 steps was same as host based authentication. The process will be always the same once Metadata Server receives user ID to authorize. The initial steps are different, it does communication using token for authentication.  
In Integrated Windows Authentication (IWA), Metadata Server does two authentication phase:
  • Verification Phase 
  • Identification phase

In verification phase, Metadata Server send the token recieved from SAS application to Windows Authentication. Windows Authentication does the verfication and returns user ID if the token is correct. This phase occurs only in IWA based authentication. The 4 and 5th step in above diagram is the verification phase.
In identification phase, Metadata Server will send user ID to Metadata Repository and check whether the user ID is valid or not. This phase will be common in all authentication model which we call as inbound login. The 6 and 7th step in above diagram is identification phase. 

Comments

Post a Comment

Popular posts from this blog

Starting Gemfire in SAS

Gemfire is available in both Compute and Mid. The default port is 41415. If you have many gemfire, you may have port numbers incremented by 1, for example: 41416. Gemfire is located under Web. <SASCONFIG>/Web/gemfire. To Start: <SASCONFIG>/Web/gemfire/instances/ins_41415/gemfire-locator.sh start To check Status: <SASCONFIG>/Web/gemfire/instances/ins_41415/gemfire-locator.sh status To stop: <SASCONFIG>/Web/gemfire/instances/ins_41415/gemfire-locator.sh stop If it doesn;t start check port number is occupied by any other process. lsof -i tcp:41415 If you only have one instance then 41415 will be default. If you have Lev2 then it will be 41416
Post a Comment
Read more

SAS 9.4 server startup order

In Linux / Unix OS we normally use sas.servers to start the services. The script in the background follows an order to start the services. It is important to follow the order to run the services correctly. In this post we can see what is the order to start / stop and to generate the sas.servers script. It is not really required to memorize the order because SAS provide an utility to create the sas.servers script automatically which will start / stop the service in order. Starting order SAS Metadata server Olap server SAS object spawner SAS / SHARE server SAS / connect spawner SAP table server SAP remote services SAS deployment tester server Stopping will be the same in reverse. How to create sas.server script? We can create sas.server script by using generate_boot_script.sh. if you have made any changes to your environment like adding a new server or spawner we can use the script to generate new sas.server. You can use the script even if you have removed the spanner o...
Post a Comment
Read more

Insufficient authorization to access PIPE error in SAS EG

Issue: When I tried to run SAS code in SAS Enterprise Guide it throws following errors: ERROR: Insufficient authorization to access PIPE. ERROR: Error in the FILENAME statement. Screenshot of error: Solution: This error occurs when you try to run OS commands in SAS code. To run the OS commands in SAS code you need to enable XCMD option. You check it in SAS Management Console by following below steps.   Open SMC -> Expand Servers -> Expand   In SASApp , expand Logical Workspace Server -> right click on Workspace Server. Click properties -> option tab -> advanced options -> launch properties. Check whether Allow XCMD is checked. The issue arises if the Allow XCMD is not checked. In above image, Allow XCMD option is not checked. It should be checked to run OS commands from SAS code. In Unix /Linux machines, this XCMD option can be enabled by using system option XCMD in sasv9 config file or workspaceserver.sh script f...
2 comments
Read more