After you upgrade the SAS Viya platform to the 2026.04 release, multiple services fail to respond. In addition, errors similar to the following might occur in the sas-authorization and sas-file-store service's logs:
WARN [sas-authorization] - [FOLDER_ANCESTOR_FAILURE_WITH_REASON] An error occurred. The folder ancestry for "/folders/folders/75ec3723-b9ef-46f2-8f9c-abe57177b509" could not be retrieved. HTTP status code from Folders Service was 401.
ERROR [sas-authorization] - [INTERNAL_SERVER_ERROR] Internal server error. Request: uri=/authorization/decisions;client=192.168.186.141;user=sas.fileStore. Error details: org.springframework.security.oauth2.core.OAuth2AuthorizationException - '[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 401 on POST request for "http://sas-logon-app/SASLogon/oauth/token": "{"error":"invalid_client","error_description":"Wrong client_assertion"}"'
ERROR [sas-authorization] - org.springframework.security.oauth2.core.OAuth2AuthorizationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 401 on POST request for "http://sas-logon-app/SASLogon/oauth/token": "{"error":"invalid_client","error_description":"Wrong client_assertion"}"
ERROR [sas-authorization] - caused by: org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 on POST request for "http://sas-logon-app/SASLogon/oauth/token": "{"error":"invalid_client","error_description":"Wrong client_assertion"}"
This issue occurs when you disable the Kubernetes Service Account (KSA) by setting SAS_AUTH_KUBERNETES_SERVICE_ACCOUNT_ENABLED=false.
To temporarily work around this issue, if you disable KSA by setting SAS_AUTH_KUBERNETES_SERVICE_ACCOUNT_ENABLED=false, you need to also set SAS_AUTH_CLIENT_JWT_ENABLED=false until a patch is released to fix this problem.
Note: You should use SAS_AUTH_KUBERNETES_SERVICE_ACCOUNT_ENABLED=false as only a temporary workaround. Please contact SAS Technical Support for help with enabling Kubernetes Service Account (KSA) tokens. In the future, KSA tokens will be mandatory.