When a user launches a SAS^® client, they might receive one of the following errors:

  OR

  OR

 

The problem occurs after the user ID has been authenticated on the server, when SAS is unable to find a matching metadata identity for the authenticated user ID.

When attempting to determine a SAS identity, the system attempts to match the authenticated user ID to the user ID stored in a metadata login. If no matching user ID is found, the connection is established using the PUBLIC identity. By default, PUBLIC and anonymous access are denied the ReadMetadata permission to the metadata repository.

Here are common conditions that result in error messages similar to the ones shown above and the basic resolution steps:

• The user ID is not a login in the metadata. Add the login and user ID to the correct metadata identity. You might need to add the identity first, and then add a login for that identity.
• The form of the user ID in the metadata does not match the form of the authenticated user ID. For example, a user ID of sasdemo does not match the authenticated user ID SASBI\sasdemo. Use the steps in Determining How the User Is Authenticated to find the authenticated user ID, and then correct the user ID in the metadata.
• The authentication domain with which the user ID is associated is an Outbound Only domain. Outbound logins are not included in the SAS identity phase. You can determine whether the authentication domain is an outbound only domain by opening the User Manager plug-in in SAS^® Management Console, and then selecting the menu items Action ► Authentication Domains.... Outbound Only is selected by a check box.

Determining How the User Is Authenticated

Enable TRACE logging for the Audit.Authentication logger on the SAS Metadata Server. This logger will show more detailed information about how the user is authenticated. 

Enabling TRACE logging for the loggers using SAS Management Console:

1.  Log on to SAS Management Console as sasadm@saspw.
2.  Expand Server Manager ► SASMeta ► SASMeta - Logical Metadata Server ► SASMeta - Metadata Server.
3.  Right-click SASMeta - Metadata Server and select Connect.
4.  Log on as sasadm@saspw if prompted.
5.  Click the loggers tab.
6.  Find Audit.Authentication in the list and select its properties.
7.  Change the Assigned drop-down to TRACE.
8.  Click OK.
9.  Repeat steps 6-8 for the App.OMI.Security.GetInfo and App.OMI.Security.GetIdentity loggers.

Note: You will NOT need to restart the SAS Metadata Server for this change to take effect.

After you enable logging, have the affected user re-create the issue in the SAS client application. Then reset the Audit.Authentication logger to its original setting (typically this is "Inherited").

Opening the Metadata Server Log will show something similar to what is seen below for the user attempting to authenticate. Note that, in these examples, the domain "sasbi" was misspelled as "sassbi" in the User ID in the metadata. You should look for other differences between the User ID and the authenticated user, such as the domain name and direction of the slash if it is an Active Directory domain or a Windows local account. Also note that the form of the User ID can be either the UPN style or the Down-level name, sasdemo@sasbi or sasbi\sasdemo, respectively. Both are treated as the same User ID by the SAS Metadata Server.

Additional logging from Step 9 might produce something like what is seen below in the Metadata Server log:

Related Information

For more information, see How SAS Identity Is Determined, PUBLIC Access and Anonymous Access, and Outbound and Trusted Authentication Domains in SAS^® 9.4 Intelligence Platform: Security Administration Guide. 

Also see the section Add Users in SAS^® 9.4 Management Console: Guide to Users and Permissions.