Installation Instructions for Hot Fix F1E003

Windows


Hot fix F1E003 addresses the issue(s) in Base SAS 9.4_M6 as documented in the Issue(s) Addressed section of the hot fix download page:

https://tshf.sas.com/techsup/download/hotfix/HF2/D9T.html#F1E003


F1E003 is a "container" hot fix that contains the following "member" hot fixes which will update the software components as needed.

D9T018  updates  Base SAS 9.4_M6
D9T033  updates  Base SAS 9.4_M6
F1D002  updates  Base SAS User Interface 9.4_M6

See What is a container hot fix? in the Hot Fix FAQ for more information about container hot fixes.


Before applying this hot fix, follow the instructions in SAS Note 35968 to generate a SAS Deployment Registry report, then verify that the appropriate product releases are installed on your system. The release number information in the Registry report should match the 'member' release number information provided above for the software components installed on each machine in your deployment.

The hot fix downloaded, F1E003wn.zip, includes the updates required for all components listed above on all applicable operating systems. To apply this hot fix on multiple machines, you can either save F1E003wn.zip on each machine or save it in a network location that is accessible to all machines.

Do NOT extract the contents of F1E003wn.zip. The hot fix installation process will extract the contents as needed.


IMPORTANT NOTES

  1. Files delivered in this hot fix will be backed up during the installation process. However, it is good general practice to back up your system before applying updates to software.

  2. You must have Administrator Privileges on your CLIENT or SERVER machine.

  3. All currently active SAS sessions, daemons, spawners and servers must be terminated before applying this hot fix.

  4. This hot fix should be installed using the same userid who performed the initial software installation.

  5. CONFIGURATION: No automatic configuration scripting is included for this hot fix. If you have previously configured software installed, the SAS Deployment Manager may present a screen where you will see "Apply SAS Hot Fixes" and "Configure SAS Hot Fixes" options. On this screen, you must ensure that the "Configure SAS Hot Fix" option is *not* selected. If this option is automatically selected, please de-select it prior to proceeding with the SAS Deployment Manager Screens. Failure to do so could have unintended consequences when applying this hot fix.


INSTALLATION

Hot Fix F1E003 must be installed on each machine where the updated components of the product, listed above, are installed. During the installation process you may see references to all operating systems for which updates are provided in the hot fix. The installation process will determine the operating system and which component(s) of Base SAS 9.4_M6 require updating on the machine. See SAS Note 44810 for more details.

The hot fix will be applied using the SAS Deployment Manager. By default, the SAS Deployment Manager will search in the <SASHOME>\InstallMisc\HotFixes\New directory for hot fixes to be applied, but will also prompt for a location if you have downloaded hot fixes to a different directory.

After downloading F1E003wn.zip, follow the instructions for applying hot fixes in the SAS Deployment Wizard and SAS Deployment Manager 9.4: User's Guide.

Please review the CONFIGURATION Important Note above concerning proper selection of the "Configure SAS Hot Fix" option in the SAS Deployment Manager.


The hot fix installation process generates the log file

<!SASHOME>\InstallMisc\InstallLogs\IT_date-and-time-stamp.log
for example, IT_2011-10-31-13.18.21.log. Each attempt to apply a hot fix results in the creation of a new log file giving detailed information regarding the installation process.

Postexec log files are created after the installation is completed and identifies the files that were added, backed up, changed and removed. These log files include the 'member' hot fix id in the name of the file and are also written to the <!SASHOME>\InstallMisc\InstallLogs directory. There is one postexec log for each 'member' hot fix applied (member hot fixes are listed at the top of these instructions).


The content of this hot fix is listed in the hot fix manifest.


POST-INSTALLATION INSTRUCTIONS

Supported Systems and requirements
This hotfix and instructions apply to Windows only. Prerequisites
Prior to enabling Kerberos Constrained Delegation, SAS servers and spawners must first be configured for Kerberos (Integrated Windows Authentication). Instructions can be found in the SASŪ 9.4 Intelligence Platform: Security Administration Guide, Third Edition.:
https://go.documentation.sas.com/api/docsets/bisecag/9.4/content/bisecag.pdf

To fully enforce constrained delegation, additional configuration steps are required in Active Directory. This must be completed by a Domain Administrator with the "Active Directory Users and Computers" tool. Each Kerberos protected resource (e.g., Microsoft SQL Server) that a SAS Workspace Server can access must be defined against the account being configured for constrained delegation.

As a Windows domain administrator, under Start-->Control Panel-->Administrative Tools-->Active Directory Users and Computers, access the properties dialog for the relevant account and grant the delegation privilege. Even though the SAS Workspace Server accesses the Kerberos protected resource, the delegation privilege is granted to the SAS Object Spawner.

In all the above cases, select the Use any authentication protocol check box. Next click the Add... button and then click the Users and Computers... button.

Once the name is entered, click the Check Names button and click the OK button. Select the SPN(s) for the service(s). Click the OK button. Repeat as necessary until all services have been added. When finished, click the OK button to exit the Properties dialog.

For sites using SAS Web Applications, such as SAS Studio, the SAS Middle-Tier HTTP service principal name (SPN), must be trusted for delegation to the account the SAS Metadata Server and SAS Object Spawner are running under. As a Windows domain administrator, under Start-->Control Panel-->Administrative Tools-->Active Directory Users and Computers, access the properties dialog for the relevant account and grant the delegation privilege.

In all the above cases, select the Use any authentication protocol check box. Next click the Add... button and then click the Users and Computers... button.

Once the name is entered, click the Check Names button and click the OK button. Select the SPN for the SAS Object Spawner, typically SAS. Click the OK button. Click the OK button to exit the Properties dialog.

If the SAS Metadata Server is running on a separate host, repeat the above steps for the SAS/<SAS Metadata Server host name> SPN.

Post Installation Instructions
Installation of this hotfix does not enable constrained delegation support in SAS by default. After installing the hot fix, complete the steps here to enable constrained delegation support in SAS.
  1. The SAS_CONSTRAINED_DELEG_ENABLED System environment variable must be set to "1". As a local administrator, under Start-->Control Panel-->System and Security-->System-->Advanced system settings, select the <>bAdvanced tab, and click the Environment Variables button, add the setting under System variables.
  2. Reboot the machine.


This completes the installation of hot fix F1E003 on Windows.


Copyright 2019 SAS Institute Inc. All Rights Reserved.