When Kerberos Constrained Delegation is enabled, the delegated credentials have a lifetime that is equal only to the lifetime on the CAS Server Kerberos credentials (default = 10 hours), and the credentials are not automatically renewed.
CASLIBs that use Kerberos tickets to access databases, such as SQL Server, are no longer be able to access them once the Kerberos ticket has expired, which causes errors similar to the following:
The patch associated with this article addresses the issue by including a new option, CASSERVERCREDENTIALRENEWGAP. After you run the software update, you can change the setting on this option in /opt/sas/viya/config/etc/cas/default/cas_usermods.settings as follows to shorten the CAS Server Kerberos credentials renew interval:
This code changes the Kerberos certificate renewal interval to 8 hours, which enables the software to update the certificate before the expiration time.