SquaredUp Kerberos script
The SquaredUp Kerberos script Debug-SquaredUpKerberos.ps1
queries the Kerberos configuration.
To download and run the Kerberos script see Collecting Diagnostic Information
The results are shown on screen and when an issue is identified a message is displayed which you can use to resolve the issue, using the information in this article.
For assistance resolving Kerberos issues please contact SquaredUp Support and reply to the automatic response with the output of the SquaredUp Diagnostics and a screenshot of the Kerberos script results.
If the Kerberos script doesn't identify any issues but you are still prompted by the browser for a username and password, see the end of this article.
Issues identified by the Kerberos Script
"SPN 'HTTP/SquaredUpServer' exists but it is not registered to identity 'domain\SquaredUpAccount"
"SPN 'MSOMSdkSvc/SCOMServer' exists but it is not registered to identity 'domain\SCOMIdentity'"
Other issues covered:
How to configure SPNs when accessing SquaredUp via an address that is not the SquaredUp server name
Delegation tab is missing when configuring Kerberos delegation
The MSOMSdkSvc service is not listed when carrying out delegation
Checking the System Center Data Access Service run as account
Still presented with the browser logon box
Check Windows authentication 'Providers'
How to enable Kerberos event logging
Check that delegation has been set up
SPN 'HTTP/SquaredUpServer' exists but it is not registered to identity 'domain\SquaredUpAccount'
The script has identified an SPN for the SquaredUp server but it is not registered to the SquaredUp application pool identity. This may be because the SquaredUp application pool identity has been changed. Follow the steps below to reconfigure the SPNs for the new SquaredUp application pool identity.
Configuring SPNs for SquaredUp
HTTP service SPNs need to be configured for each SquaredUp server. It is important to know the SquaredUp application pool identity as this determines the account the SPN is registered to.
-
On a domain controller, click on the Start button and type:
command prompt
- Right-click on the Command Prompt icon and click Run as administrator.
-
Type:
SETSPN -S HTTP/SquaredUpServer domain\SquaredUpAccount
SquaredUpServer
should be replaced by the name of the server where SquaredUp is installed, anddomain
by your domain name.SquaredUpAccount
should be replaced by the SquaredUp application pool identity.If the SquaredUp application pool is configured to use NetworkService, then the
SquaredUpAccount
is the computer account for the web server. For example, if SquaredUp is running on server webserver1.domain.local then use domain\webserver1.If you have configured SquaredUp to use a domain service account then this account should be used. For example, if your domain service account is domain\svc-squaredup then use domain\svc-squaredup.
If you are unsure which account SquaredUp is configured to use, check the SquaredUp application pool configuration.
- This may report
Duplicate SPN found, aborting operation!
. The output also very usefully shows the account that is already registered to the SPN. See Duplicate SPN found, aborting operation! below to delete the existing SPN and recreate it. -
Repeat these steps for the fully qualified domain name (FQDN) of the SquaredUp server:
SETSPN -S HTTP/SquaredUpServer.domain.tld domain\SquaredUpAccount
Where
tld
is the top level domain. - Run the SquaredUp Kerberos script to see if any further problems are reported.
If you have another address that you use to browse to SquaredUp, for example in your bindings or in DNS Manager, you should create two further SPNs, one for the shorter address and another for the fully qualified domain name (FQDN). See Accessing SquaredUp via an address that is not the SquaredUp server name
SPN 'MSOMSdkSvc/SCOMServer' exists but it is not registered to identity 'domain\SCOMIdentity'
The script has identified an SPN for the SCOM server but it is not registered to the System Center Data Access Service run as account. This may be because the System Center Data Access Service run as account has changed. Follow the steps below to reconfigure the SPNs for the new System Center Data Access Service run as account.
Configuring SPNs for SCOM
MSOMSdkSvc service SPNs need to be configured for the SCOM server. It is important to know the System Center Data Access Service run as account as this determines the account the SPN is registered to. For more information see OpsMgr 2012: What should the SPN’s look like?
When load balancing SCOM (whether using Network Load Balancing or a hardware load balancer) all the SCOM servers must have their System Center Data Access service running as the same service account See the Service Principal Names section at the end of this Technet article.
-
On a domain controller, click on the Start button and type:
command prompt
- Right-click on the Command Prompt icon and click Run as administrator.
-
Type the following to set the SPN for the server short address:
SETSPN -S MSOMSdkSvc/SCOMServer domain\SCOMIdentity
SCOMServer
should be replaced by the name of the SCOM server, anddomain
by your domain name.SCOMIdentity
should be replaced by the System Center Data Access Service run as account.If the System Center Data Access Service is running as Local System, then the account should be the computer account for the SCOM server.
If the System Center Data Access Service is running as a service account then the account should be that service account.
See Checking the System Center Data Access Service run as account
- This may report
Duplicate SPN found, aborting operation!
. The output also very usefully shows the account that is already registered to the SPN. See Duplicate SPN found, aborting operation! below to delete the existing SPN and recreate it. -
Repeat these steps for the fully qualified domain name (FQDN) of the SCOM server:
SETSPN -S MSOMSdkSvc/SCOMServer.domain.tld domain\SCOMIdentity
Where
tld
is the top level domain. - Run the SquaredUp Kerberos script to see if this error has been resolved and if any further errors are reported.
"Checking the SquaredUp account delegation settings...FAIL The SquaredUp account AD entry (domain\SquaredUpAccount) is not configured for delegation to SPN 'MSOMSdkSvc/SCOMServer'"
-
On a domain controller, open Active Directory Users and Computers.
-
Navigate to the SquaredUpAccount mentioned in the error message (this should be SquaredUp application pool account).
-
Right-click on the account and select Properties.
-
Click on the Delegation tab. (If the Delegation tab is not there see Delegation tab is missing when configuring Kerberos delegation).
-
Check Trust this user/computer for delegation to specified services only.
-
Click Add, then Users or Computers.
-
Locate the System Center Data Access Service account. The SCOM DAS identity account you need is shown on the Kerberos script output as "Determining SCOM identity for kerberos... OK ; OMSDK.Account=domain\SCOMIdentity"
See Checking the System Center Data Access Service run as account -
From the list of available services click on MSOMSdkSvc. Careful not to select MSOMHSvc, you need MSOMSdkSvc. If MSOMSdkSvc is not available follow The MSOMSdkSvc service is not listed when carrying out delegation.
-
At this point we strongly recommend restarting the SquaredUp web servers to clear any cached account information.
- Run the SquaredUp Kerberos script to see if this error has been resolved and if any further errors are reported.
Troubleshooting Duplicate SPNs
After running a SETSPN -S
command you may see Duplicate SPN found, aborting operation!
The Kerberos script may fail with the message Found duplicate SPNs
See Troubleshooting Duplicate SPNs
How to configure SPNs when accessing SquaredUp via an address that is not the SquaredUp server name
See How to configure SPNs when accessing SquaredUp via an address that is not the SquaredUp server name.
Delegation tab is missing when carrying out delegation
The Delegation tab can be missing if you have opened the wrong account in Active Directory Users and Computers, or if the HTTP SPNs have not been configured for that account.
The delegation tab is only available after an SPN attribute has been added to the active directory object.
-
Check that you have opened the correct account in Active Directory Users and Computers. You should open the 'SquaredUp account', i.e. the application pool identity:
-
If the SquaredUp application pool is configured to use NetworkService, then navigate to the computer account for the web server. For example, domain\webserver1.
-
If you have configured SquaredUp to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup.
For more information see How to check and modify the Application Pool Identity.
-
- If the Delegation tab is still missing once you are opening the correct account in Active Directory Users and Computers then you should run the Kerberos script, to help identify the SPN problem. It is likely you will see either "SPN 'HTTP/SquaredUpServer' exists but it is not registered to identity 'domain\SquaredUpAccount'" or "Found duplicate SPNs" and you should follow those steps to fix the SPN problem.
If the Delegation tab is shown but the MSOMSdkSvc option is missing then see The MSOMSdkSvc service is not listed when carrying out delegation.
The MSOMSdkSvc service is not listed when carrying out delegation
The MSOMSdkSvc option is not listed if you have opened the wrong account in Active Directory Users and Computers, or if the MSOMSdkSvc SPN has not been configured correctly for the SCOM Data Access service run as account (or if using 'local service', the SCOM server computer).
-
First, check that you have opened the correct account:
If the SquaredUp application pool is configured to use NetworkService, then navigate to the computer account for the web server. For example domain\webserver1.
If you have configured SquaredUp to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup. See How to check and modify the Application Pool Identity -
Secondly, when you're on the Delegation tab, check that you're adding the correct account:
If the System Center Data Access Service is running as Local System, locate the SCOM server.
If the System Center Data Access Service is running as a service account locate that service account. See Checking the System Center Data Access Service run as account -
If the MSOMSdkSvc service is not listed for this account, then you should run the Kerberos script, to help identify the SPN problem. It is likely you will see "SPN 'MSOMSdkSvc/SCOMServer' exists but it is not registered to identity 'domain\SCOMIdentity'" or "Found duplicate SPNs" and you should follow those steps to fix the SPN problem.
Normally the SPNs are created automatically, but if they could not be created initially or the account running the System Center Data Access Service has changed, then the SPNs need to be created now, see Configuring SPNs for SCOM.
Once the SPNs are set correctly the MSOMSdkSvc service will be listed when carrying out delegation.
Checking the System Center Data Access Service run as account
- To check the System Center Data Access Service (DAS) run as account on the SCOM server click on the Start button and type
services
. - Locate the System Center Data Access Service and check the Log On As column to see whether the server is running as Local System or as a specific service account.
When you run the Kerberos script the System Center Data Access Service account you need is shown on the Kerberos script output:
"Determining SCOM identity for kerberos... OK ; OMSDK.Account=domain\SCOMIdentity"
Still presented with the browser logon box
If the Kerberos script does not show any errors please check the following:
- Restart the SquaredUp server(s).
- Re-run the
squaredup4 windows
command on the SquaredUp server(s). See the relevant article linked from How to configure Windows authentication. - Check the browsers are configured to use Windows authentication. See the relevant article linked from How to configure Windows authentication.
- Check Windows authentication 'Providers'
- Enable Kerberos event logging
Check Windows authentication 'Providers'
If the SquaredUp Kerberos script finds all settings correct, but you are still seeing the browser login box, and entering the logon details of a SCOM user does not allow you access to SquaredUp, then you should check the Windows authentication 'Providers' as described below.
- On the SquaredUp server, open IIS, click on SquaredUpv4, then open Authentication from the middle pane. Right-click on Windows Authentication and select Providers.
- Check the list of Enabled Providers. It should show Negotiate, NOT Negotiate:Kerberos.
- If Negotiate:Kerberos is listed please remove this, and add Negotiate.
- Click OK.
- Before testing, you'll need to close and reopen your browser.
How to enable Kerberos event logging
If it is proving difficult to narrow down the issue, enabling Kerberos event logging may help.
-
Enable Kerberos event logging on the SquaredUp server, as described in the following Microsoft article, by setting the
LogLevel
value to1
: - Once Kerberos logging is enabled on the SquaredUp server, go to a client and log out and in again and attempt to open SquaredUp.
- On the SquaredUp server open Event Viewer, then go to Windows logs > System, and look for any Kerberos errors.
- For assistance please contact SquaredUp Support and reply to the automatic response with the output of the SquaredUp Diagnostics and a screenshot of the Kerberos errors.
You should remove Kerberos event logging once Kerberos is configured correctly.
Check that delegation has been set up
We can run a PowerShell command to check how delegation has been configured.
You will need to know:
- Whether the SquaredUp application pool is running as Network Service, or a domain service account.
- Whether the System Center Data Access Service on the SCOM server is running as local system or a service account.
- The relevant Distinguished Name (DN). If the SquaredUp application pool is running as Network Service then you will need the DN for the SquaredUp server name. If it is using a domain service account you will need the DN of that user account.
We will be running the next command on a domain controller, and you can find the Distinguished Name using PowerShell on a domain controller. For Network Service use Get-ADComputer SquaredUpServer
, for a domain service account useGet-ADUser SquaredUpAccount
. Alternatively, you can get the DN on a non-domain controller by running the relevant SETSPN command, either SETSPN -L SquaredUpServer
or SETSPN -L SquaredUpAccount
.
-
On a domain controller click on the Start button type:
powershell
-
Right-click on the PowerShell icon and click Run as administrator.
Get-ADObject "CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld" -Properties msDS-AllowedToDelegateTo
Where
CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld
is the Distinguished Name (DN)You should have an output similar to the following:
DistinguishedName : CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld msDS-AllowedToDelegateTo : {MSOMSdkSvc/SCOMServerName.domain.tld, MSOMSdkSvc/SCOMServerName} Name : SquaredUpServer ObjectClass : computer ObjectGUID : f044abee-7ea2-49c6-8704-de379fecd1d4
- Check the
msDS-AllowedToDelegateTo
line.
If the System Center Data Access Service on the SCOM server is running as local system then msDS-AllowedToDelegateTo should show the correct SCOM server.
If the System Center Data Access Service is running as a service account then msDS-AllowedToDelegateTo should show the service account.
This information maps to the Trust this user for delegation to specified services only checkbox.