Enabling Integrated Windows Authentication (IWA) causes the SAS Financial Management client to fail to connect to the back-end servers upon initial login to the client.

As a result, the SAS Financial Management client log displays the following error:

[main][ERRORWIPAuthenticationServer] - Unable to authenticate user using IWA.
[main][ERRORLogonRegistry] - SSO logon failed
com.sas.solutions.finance.rcp.commons.core.logon.LogonException: java.lang.ClassCastException: class com.sas.svcs.security.iwa.client.WebHttpClient cannot be cast to class com.sas.svcs.security.iwa.client.WebHttpClient (com.sas.svcs.security.iwa.client.WebHttpClient is in unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @e07b4db; com.sas.svcs.security.iwa.client.WebHttpClient is in unnamed module of loader org.eclipse.osgi.internal.loader.EquinoxClassLoader @150d6eaf)

Support for Integrated Windows Authentication in SAS Financial Management

For SAS Financial Management, in addition to the instructions provided in Support for Integrated Windows Authentication, you need to complete the following steps to circumvent this issue:

Enable the Properties Needed When Using Integrated Windows Authentication With the SAS Java Clients on SAS^® 9.4M8 (TS1M8)
FM Studio Configuration for SAS Financial Management

Enable the Properties Needed When Using Integrated Windows Authentication With the SAS^® Java Clients on SAS^® 9.4M8 (TS1M8)

On SAS 9.4M8, if you use IWA to log on to the SAS Financial Management Java clients, you need to apply the hot fixes available in SAS Note 71112 (particularly for the SAS^® Middle-Tier 9.4_M8 and SAS^® Management Console 9.4_M8). If your environment contains the other SAS products mentioned in the SAS note, be sure to install the relevant hot fixes as well.

In addition to applying the hot fixes, you need to complete the following steps on each middle-tier node for IWA to work with these clients:

Navigate to the following directory: /<SASHome>/SASWebInfrastructurePlatform/9.4/Configurable/wars/sas.svcs.logon/
WEB-INF/classess.
Take a backup of the application.properties.orig file in a different location (that is, /backups).
Add the following lines to the end of the application.properties.orig file:

##
# Enable to keep the old TGT behavior for the Java clients like SAS Enterprise Miner Client and SAS Forecast Studio.
#
sas.ticket.createtgt.keepoldtgt=true
Save the change.
Rebuild and redeploy the following:
- the SAS^® Web Infrastructure Platform web application
- SAS Financial Management Mid-Tier 5.62 (for more information, see Administer SAS Web Applications in the Middle-Tier Administration Guide)
After you rebuild and redeploy the SAS Web Infrastructure Platform web application, ensure that the following file contains the sas.ticket.createtgt.keepoldtgt=true setting: /<SASConfig>/Lev#/Web/WebAppServer/SASServer1_1/sas_webapps/sas.svcs.logon.war/WEB-INF/classes/application.properties
Restart ALL SAS^® Web Application Servers (SASServer1_1 to SASServerN_1) to pick up this change:
- For Unix systems, go to the <SASConfig>/Lev#/Web/WebAppServer/SASServerN_1/bin directory and run the following commands:
  - ./tcruntime-ctl.sh stop
  - ./tcruntime-ctl.sh start
- For Windows systems, go to the Windows Services dialog box ► locate SASServer1_1- SASServerN_1 ► and restart these services.

Notes:

The instructions are the same for Windows servers except the forward slashes are replaced with backslashes.
If you complete future maintenance or upgrades, this change might be reverted, and you might need to complete these steps again.

SAS Financial Management Studio Configuration for SAS Financial Management

For SAS Financial Studio to work with IWA, two configuration files are required: krb5.conf and login.conf. These files are used to connect to the configured RACE server.

Information about these files is as follows:

krb5.conf

[libdefaults]

default_realm = RACE.SAS.COM

udp_preference_limit=1

[realms]

RACE.SAS.COM = {

kdc = race.sas.com

default_domain = RACE.SAS.COM

}

[domain_realm]

.race.sas.com = RACE.SAS.COM

race.sas.com = RACE.SAS.COM

[appdefaults]

kinit = {

renewable = true

forwardable= true

}

login.conf

com.sun.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required client=TRUE

useTicketCache=true

doNotPrompt=false

debug=true

renewTGT=true;

};

Note that you also need to update the SAS Fraud Management Studio ini file with the following entries:

-Dsas.fms.enableIWASSO=true
-Djava.security.krb5.conf=c:/[path to]/krb5.conf
-Djava.security.auth.login.config=c:/[path to]/login.conf
-Dsun.security.jgss.native=true

The SAS® Financial Management 5.62 desktop client fails to connect with "Unable to authenticate user using IWA"

Support for Integrated Windows Authentication in SAS Financial Management

Enable the Properties Needed When Using Integrated Windows Authentication With the SAS® Java Clients on SAS® 9.4M8 (TS1M8)

SAS Financial Management Studio Configuration for SAS Financial Management

krb5.conf

login.conf

Enable the Properties Needed When Using Integrated Windows Authentication With the SAS^® Java Clients on SAS^® 9.4M8 (TS1M8)