Skip to main content

How to configure Windows authentication when SquaredUp is installed on load balanced servers

Catherine
  • Updated

Due to the dependencies on Active Directory and Kerberos constrained delegation, Windows authentication can be difficult to configure and troubleshoot. Please follow these instructions carefully to ensure Windows authentication works without any issues in your environment. If you have any questions or need assistance, please contact SquaredUp Support

 

When to use this article

This article applies if:

  • You want to enable Windows authentication (single sign-on)
  • You have a two or more load balanced SquaredUp web servers
  • SquaredUp is not installed on SCOM management servers

If you want to configure Windows authentication in a different scenario, review How to configure Windows authentication to find the appropriate article.

 

Overview

LoadBalancerDiagram.png

The diagram above shows two SquaredUp servers, a Primary and a Secondary server, with a load balancer in front of them.

SquaredUp accesses SCOM using the end user's credentials. When Windows authentication is being used and SquaredUp is deployed on a dedicated server, the end user first authenticates with the SquaredUp web server, and then the SquaredUp web server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time is known as a 'double-hop' and requires Kerberos delegation to be enabled.

Kerberos delegation is notoriously difficult to configure. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly. The rest of this article takes you through the configuration step-by-step.

For more information on Kerberos and how it operates, see here.

 

Prerequisites

  1. SquaredUp has been installed and the initial configuration wizard (licensing etc) completed on all servers.
  2. High availability (HA) has been configured - see How to configure high availability
  3. The load balancer has been configured - see Tips for configuring a load balancer

 

Summary of steps

  1. Configure SquaredUp to use a domain service account
  2. Enable Windows authentication using the SquaredUp configuration tool
  3. Configure Kerberos constrained delegation
  4. Restart the SquaredUp web servers
  5. Configure your web browsers to use Windows authentication
  6. Verify the configuration

 

1. Configure SquaredUp to use a domain service account

When load balancing between SquaredUp servers, the SquaredUp application pool identity must be set to a domain service account, rather than the default of Network Service.

Follow the article How to check and modify the application pool identity to change the application pool identity from Network Service to a domain service account on each server.

 

2. Enable Windows authentication using the SquaredUp configuration tool

Ensure both servers are using Windows authentication as described below. Modifying the configuration causes the web application to restart and all users will be logged off.

  1. On the Primary SquaredUp server click on the Start button and type command prompt.

  2. Change directory to the instance for which you wish to change authentication, by typing the correct path, for example:

    cd c:\inetpub\wwwroot\SquaredUpv4\

  3. Type the following to enable Windows authentication:

    squaredup4 windows

  4. Repeat these steps to enable Windows authentication on the Secondary SquaredUp server.

 

3. Configure Kerberos constrained delegation

Next we need to allow the SquaredUp application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.

The following steps require changes to the Active Directory account used by the SquaredUp application pool. This is referred to as the SquaredUpAccount in the steps below. It is important to know which account is used by SquaredUp before proceeding. See How to check and modify the Application Pool Identity.

 

Verify and configure Service Principal Names (SPNs)

We need to create SPNs for the individual servers and for the load balanced address, for example lb-ha.

Think of SPNs as pseudo-accounts that represent a service endpoint, such as the SquaredUp website. They allow Kerberos to authenticate between a real end user and a service. SPNs must be created for each address the user connects to, and must be associated with the actual account used by the service, in our case this is the SquaredUp application pool identity. For more information on SPNs and how they work see here.

We can create the required SPNs by running commands from a command prompt on the domain controller, the domain account used must have SCOM admin permissions.

The HTTP service class that we use here for SPNs, differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class.

  1. On a domain controller, click on the Start button and type:

    command prompt

  2. Right-click on the Command Prompt icon and click Run as administrator.

  3. Type the following to set the SPN for each individual servers fully qualified domain name (FQDN):

    SETSPN -S HTTP/webserver1.domain.tld domain\SquaredUpAccount

    Where webserver1 should be replaced by the name of the server where SquaredUp is installed, domain by your domain name, tld is the top level domain, and SquaredUpAccount is the domain service account that you set as the SquaredUp application pool identity.

  4. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs

  5. Next type the following to set the SPN for each individual server short address:

    SETSPN -S HTTP/webserver1 domain\SquaredUpAccount

  6. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs
  7. Repeat the above steps for all other SquaredUp web servers.

  8. Next, we'll create the SPNs for the load balanced address.

    Type the following to set the SPN for the load balancer fully qualified domain name (FQDN):

    SETSPN -S HTTP/LoadBalancedAddress.domain.tld domain\SquaredUpAccount

    Where LoadBalancedAddress is the address you specified in DNS Manager, domain is your domain name, tld is the top level domain, and SquaredUpAccount is the domain service account that you set as the SquaredUp application pool identity.

    For example:

    SETSPN -S HTTP/lb-ha.squpinternal.net squpinternal\CALBAppPool

  9. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs

  10. Next type the following to set the SPN for the load balancer short address:

    SETSPN -S HTTP/LoadBalancedAddress domain\SquaredUpAccount

  11. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs

  12. To check the SPNs are configured correctly type:

    SETSPN -L SquaredUpAccount

You should see at least 6 SPNs. Two that we have just set for the load balanced address, two for the Primary SquaredUp server and two for the Secondary SquaredUp server (and two for each other SquaredUp server):

SETSPN-LSquaredUpIdentity.png

If you have another address that you use to browse to SquaredUp, for example in your bindings or in DNS Manager, you should create two further SPNs, one for the shorter address and another for the fully qualified domain name (FQDN).

 

Configure Kerberos constrained delegation in Active Directory

The next step is to enable the SquaredUp application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.

To configure Kerberos constrained delegation:

  1. On a domain controller, open Active Directory Users and Computers.
  2. If the SquaredUp application pool is configured to use NetworkService, then navigate to the computer account for the web server. For example domain\webserver1. If you have configured SquaredUp to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup. See How to check and modify the Application Pool Identity
  3. Right-click and select Properties.

  4. Click on the Delegation tab.

    If the Delegation tab is not visible, first check that you are looking at the correct user or computer account, then check that the SPN has been set correctly for this user or computer as described above.

  5. Check Trust this user/computer for delegation to specified services only. (We could also set Trust this user/computer for delegation to any service, but this is less secure than defining a list of specified services.)
  6. Click Add, then Users or Computers.
  7. If the System Center Data Access Service is running as Local System, locate the SCOM server. If the System Center Data Access Service is running as a service account locate that service account. See Checking the System Center Data Access Service run as account

  8. From the list of available services click on MSOMSdkSvc.

    If the MSOMSdkSvc service is not available, first check that you are looking at the correct user or computer account, then check that the SCOM SPNs are correct, see Troubleshooting Kerberos

    AddServicesMSOMSDKSvc.png

  9. Click OK, and then Apply.

    DelegationTabLB.png

 

4. Restart the SquaredUp web servers

At this point we strongly recommend restarting the SquaredUp web servers to clear any cached account information.

 

5. Configure your web browsers to use Windows authentication

Your users' web browsers must be configured to use Windows authentication when connecting to SquaredUp.

The configuration depends on the browser.

 

Internet Explorer

By default, Internet Explorer is enabled to use Windows authentication for intranet sites only. If your users may connect to SquaredUp using a fully qualified domain name (FQDN) (e.g. webserver1.domain.local) then you must add this to the list of intranet sites in Internet Explorer.

Please note that your domain settings may differ from the Internet Explorer defaults, so we recommend that you review the settings below.

    1. Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced

      LocalIntranetFQDNLB.png

    2. Paste in the fully qualified domain name for your SquaredUp server, and click Add, then Close, then OK.
    3. Click on Local intranet and then Custom level.
    4. Scroll to the bottom of the settings and verify that either of the following settings are enabled:

      Automatic logon with current user name and password
      Automatic logon only in Intranet zone

      AutomaticLogon.png

If you prefer, you can add the sites to the local intranet sites on all clients using Group Policy, see:

Internet Explorer prompting for credentials - Windows authentication (Clint Boessen's blog)

 

Chrome

By default, Chrome uses the Internet Explorer local intranet sites configuration. Follow the steps above.

In addition, Chrome requires that Kerberos constrained delegation is explicitly configured.

For more details, see The Chromium Projects - HTTP authentication

 

FireFox

Firefox requires explicit configuration to enable Windows authentication.

  1. Type about:config in the location bar.
  2. Type network.negotiate-auth.trusted-uris in the search box.

  3. Double-click on the setting returned and type the SquaredUp server name and then the fully qualified domain name (FQDN) separated by a comma and a space. Do not include the http:// or https://

    network.negotiate-auth.trusted-uris50.png

  4. Click OK.
  5. Repeat these steps for the network.negotiate-auth.delegation-uris setting.

 

6. Verify the configuration

Check that SquaredUp is now accessible:

  1. Log on to a client machine as a SCOM user, using a different user account to that with which you are logged on to the SquaredUp server. (Note that it must be a different account, otherwise Windows authentication may reuse your server logon session and it may appear to succeed even if Kerberos is misconfigured.)

  2. Browse to the load balanced address, for example from both http://lb-ha/SquaredUpv4 and http://lb-ha.domain.tld/SquaredUpv4

    Browsing to the FQDN on a web server is a known Microsoft bug, see HTTP 401.1 - Unauthorized: Logon Failed

  3. If SquaredUp opens, check that graphs are shown. If they are not, check the Data Warehouse connection.

If you experience issues see Troubleshooting Kerberos.

Related articles