Following the upgrade of SAS^® Central Authentication Service (CAS) from version 3.x to 6.6.0 in a SAS^® 9.4M8 (TS1M8) environment, the mid-tier layer stops authenticating users after approximately two to four weeks of system uptime.

Starting with SAS^® Central Authentication Service 6, domain name validation was introduced for security purposes. This validation restricts URL processing to only those domains whose top-level domains (TLDs) are included in a predefined allowlist. This behavior is enforced via the Apache Commons Validator library and affects the Single LogOut (SLO) mechanism. URLs with unapproved or invalid domains do not receive SLO logout messages.

This change is documented in the SAS 9.4M8 documentation: Central Authentication Service - Middle-Tier Administration Guide.

“Starting with SAS 9.4 M8, SAS uses CAS version 6.6 that calls Apache Commons Validator to validate SAS Web URLs. Only SAS web applications with valid URLs and valid domain names receive a SLO message.”

Note: Starting with SAS 9.4M8, local is not a valid internal domain name. Examples of valid internal domain names are as follows: localdomain and localhost.

This issue might manifest in various ways, depending on which application fails domain validation. Examples include the following:

• Application Visual Analytics Hub 7.5 does not allow public users
• HTTP 500 Internal Server Error
• increased memory consumption in SASServer12

This issue can affect pre-SAS 9.4M8 environments—for example, SAS^® 9.4M6 (TS1M6) or SAS^® 9.4M7 (TS1M7)—that were originally configured with unsupported or invalid domain names and then were upgraded in place (UIP) to SAS 9.4M8 as well as configured with the same invalid domains in the new SAS 9.4M8 environment. 

The same issue can also affect new SAS 9.4M8 environments that were installed using an invalid domain name.

Access Affected Environments

To assess whether an environment might be affected, complete the following steps:

1. Verify whether the environment’s top-level domain (TLD) is NOT included in the Apache Commons Validator allowlist, which aligns with the list defined by IANA. TLDs defined by IANA.txt.
2. Use SAS^® Management Console to check client connections and detect abnormal growth:
   1. On the Plug-ins tab in SAS Management Console, navigate to ► Environment Management ► Server Manager ► SASMeta ► SASMeta - Logical Metadata Server ► right-click SASMeta - Metadata Server ► select Connect.
   2. Connect as the sasadm@saspw user.
   3. The Clients, Options, Loggers, and Log tabs become live in the right SAS Management Console pane.
   4. On the Options tab, monitor the IOM.CurrentClients property.
3. Review the SASLogon9.4.log file. Lines such as [0] logout requests were processed after performing a logout indicate that SSO messages are not being propagated.
4. To verify whether SLO is functioning properly, complete the following steps:
   1. Open a browser. For example, by entering the http(s)://hostname:port/SASLASRAuthorization/ and logging on.
   2. Enter the address of another application in the same browser. For example, http(s)://hostname:port/SASVisualAnalyticsViewer/.
   3. Click Sign Out in the top right corner, and the SASVisualAnalyticsViewer application will successfully log out.
   4. Enter http(s)://hostname:port/SASLASRAuthorization/. The interface should prompt a login or password form.

If the login page is not displayed, this might indicate that the logout propagation failed due to domain validation.

Workaround

To circumvent this issue, the M2K021 hot fix—Hot Fixes for SAS Middle Tier 9.4_M8—introduces the option to disable the domain validation function of SAS Central Authentication Service for those users who cannot change the domain name. (Note that you are unable to change the domain names easily.)

Complete the following step only to disable the domain validation function of SAS Central Authentication Service. You can skip this step to keep the default domain validation.

1. Before applying the rebuild and redeploy steps of the Hot Fix Installation Instruction, add the following option to  [SASHome]/SASWebInfrastructurePlatform/9.4/Configurable/wars/sas.svcs.logon/WEB-INF/classes/application.properties.orig:

sas.url.validation.skipdomainvalidation=true