Skip to main content

Troubleshooting Kerberos

Adam
  • Updated

SquaredUp Kerberos script

The SquaredUp Kerberos script Debug-SquaredUpKerberos.ps1 queries the Kerberos configuration.

To download and run the Kerberos script see Collecting Diagnostic Information

The results are shown on screen and when an issue is identified a message is displayed which you can use to resolve the issue, using the information in this article.

For assistance resolving Kerberos issues please contact SquaredUp Support and reply to the automatic response with the output of the SquaredUp Diagnostics and a screenshot of the Kerberos script results.

If the Kerberos script doesn't identify any issues but you are still prompted by the browser for a username and password, see the end of this article.

Issues identified by the Kerberos Script

"SPN 'HTTP/SquaredUpServer' exists but it is not registered to identity 'domain\SquaredUpAccount"

"SPN 'MSOMSdkSvc/SCOMServer' exists but it is not registered to identity 'domain\SCOMIdentity'"

"Found duplicate SPNs"

 

 

SPN 'HTTP/SquaredUpServer' exists but it is not registered to identity 'domain\SquaredUpAccount'

The script has identified an SPN for the SquaredUp server but it is not registered to the SquaredUp application pool identity. This may be because the SquaredUp application pool identity has been changed. Follow the steps below to reconfigure the SPNs for the new SquaredUp application pool identity.

Configuring SPNs for SquaredUp

HTTP service SPNs need to be configured for each SquaredUp server. It is important to know the SquaredUp application pool identity as this determines the account the SPN is registered to.

  1. On a domain controller, click on the Start button and type:

    command prompt

  2. Right-click on the Command Prompt icon and click Run as administrator.

  3. Type:

    SETSPN -S HTTP/SquaredUpServer domain\SquaredUpAccount

    SquaredUpServer should be replaced by the name of the server where SquaredUp is installed, and domain by your domain name.

    SquaredUpAccount should be replaced by the SquaredUp application pool identity.

    If the SquaredUp application pool is configured to use NetworkService, then the SquaredUpAccount is the computer account for the web server. For example, if SquaredUp is running on server webserver1.domain.local then use domain\webserver1.

    If you have configured SquaredUp to use a domain service account then this account should be used. For example, if your domain service account is domain\svc-squaredup then use domain\svc-squaredup.

    If you are unsure which account SquaredUp is configured to use, check the SquaredUp application pool configuration.

  4. This may report Duplicate SPN found, aborting operation!. The output also very usefully shows the account that is already registered to the SPN. See Duplicate SPN found, aborting operation! below to delete the existing SPN and recreate it.

  5. Repeat these steps for the fully qualified domain name (FQDN) of the SquaredUp server:

    SETSPN -S HTTP/SquaredUpServer.domain.tld domain\SquaredUpAccount

    Where tld is the top level domain.

  6. Run the SquaredUp Kerberos script to see if any further problems are reported.

If you have another address that you use to browse to SquaredUp, for example in your bindings or in DNS Manager, you should create two further SPNs, one for the shorter address and another for the fully qualified domain name (FQDN). See Accessing SquaredUp via an address that is not the SquaredUp server name

 

SPN 'MSOMSdkSvc/SCOMServer' exists but it is not registered to identity 'domain\SCOMIdentity'

The script has identified an SPN for the SCOM server but it is not registered to the System Center Data Access Service run as account. This may be because the System Center Data Access Service run as account has changed. Follow the steps below to reconfigure the SPNs for the new System Center Data Access Service run as account.

Configuring SPNs for SCOM

MSOMSdkSvc service SPNs need to be configured for the SCOM server. It is important to know the System Center Data Access Service run as account as this determines the account the SPN is registered to. For more information see OpsMgr 2012: What should the SPN’s look like?

When load balancing SCOM (whether using Network Load Balancing or a hardware load balancer) all the SCOM servers must have their System Center Data Access service running as the same service account See the Service Principal Names section at the end of this Technet article.

  1. On a domain controller, click on the Start button and type:

    command prompt

  2. Right-click on the Command Prompt icon and click Run as administrator.

  3. Type the following to set the SPN for the server short address:

    SETSPN -S MSOMSdkSvc/SCOMServer domain\SCOMIdentity

    SCOMServer should be replaced by the name of the SCOM server, and domain by your domain name.

    SCOMIdentity should be replaced by the System Center Data Access Service run as account.

    If the System Center Data Access Service is running as Local System, then the account should be the computer account for the SCOM server.

    If the System Center Data Access Service is running as a service account then the account should be that service account.

    See Checking the System Center Data Access Service run as account

  4. This may report Duplicate SPN found, aborting operation!. The output also very usefully shows the account that is already registered to the SPN. See Duplicate SPN found, aborting operation! below to delete the existing SPN and recreate it.

  5. Repeat these steps for the fully qualified domain name (FQDN) of the SCOM server:

    SETSPN -S MSOMSdkSvc/SCOMServer.domain.tld domain\SCOMIdentity

    Where tld is the top level domain.

  6. Run the SquaredUp Kerberos script to see if any further problems are reported.

 

Troubleshooting Duplicate SPNs

After running a SETSPN -S command you may see Duplicate SPN found, aborting operation!

The Kerberos script may fail with the message Found duplicate SPNs

See Troubleshooting Duplicate SPNs

 

 

How to configure SPNs when accessing SquaredUp via an address that is not the SquaredUp server name

See How to configure SPNs when accessing SquaredUp via an address that is not the SquaredUp server name. 

The MSOMSdkSvc service is not listed when carrying out delegation

  1. First, check that you have opened the correct account:

    If the SquaredUp application pool is configured to use NetworkService, then navigate to the computer account for the web server. For example domain\webserver1. If you have configured SquaredUp to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup. See How to check and modify the Application Pool Identity

  2. Secondly, when you're on the Delegation tab, check that you're adding the correct account:

    If the System Center Data Access Service is running as Local System, locate the SCOM server. If the System Center Data Access Service is running as a service account locate that service account. See Checking the System Center Data Access Service run as account

  3. If the MSOMSdkSvc service is not listed for this account, then the SPN has not been set. Normally the SPNs are created automatically, but if they could not be created initially or the account running the System Center Data Access Service has changed, then the SPNs need to be created now.

    See Configuring SPNs for SCOM

    Once the SPNs are set correctly the MSOMSdkSvc service will be listed when carrying out delegation.

 

Checking the System Center Data Access Service run as account

  1. To check the System Center Data Access Service run as account on the SCOM server click on the Start button and type services.
  2. Locate the System Center Data Access Service and check the Log On As column to see whether the server is running as Local System or as a specific service account.

 

Still presented with the browser logon box

If the Kerberos script does not show any errors please check the following:

  1. Restart the SquaredUp server(s).
  2. Re-run the squaredup4 windows command on the SquaredUp server(s). See the relevant article linked from How to configure Windows authentication.
  3. Check the browsers are configured to use Windows authentication. See the relevant article linked from How to configure Windows authentication.
  4. Check Windows authentication 'Providers'
  5. Enable Kerberos event logging

 

Check Windows authentication 'Providers'

If the SquaredUp Kerberos script finds all settings correct, but you are still seeing the browser login box, and entering the logon details of a SCOM user does not allow you access to SquaredUp, then you should check the Windows authentication 'Providers' as described below.

  1. On the SquaredUp server, open IIS, click on SquaredUpv4, then open Authentication from the middle pane. Right-click on Windows Authentication and select Providers.
  2. Check the list of Enabled Providers. It should show Negotiate, NOT Negotiate:Kerberos.
  3. If Negotiate:Kerberos is listed please remove this, and add Negotiate.
  4. Click OK.
  5. Before testing, you'll need to close and reopen your browser.

 

How to enable Kerberos event logging

If it is proving difficult to narrow down the issue, enabling Kerberos event logging may help.

  1. Enable Kerberos event logging on the SquaredUp server, as described in the following Microsoft article, by setting the LogLevel value to 1:

    How to enable Kerberos event logging

  2. Once Kerberos logging is enabled on the SquaredUp server, go to a client and log out and in again and attempt to open SquaredUp.
  3. On the SquaredUp server open Event Viewer, then go to Windows logs > System, and look for any Kerberos errors.
  4. For assistance please contact SquaredUp Support and reply to the automatic response with the output of the SquaredUp Diagnostics and a screenshot of the Kerberos errors.

You should remove Kerberos event logging once Kerberos is configured correctly.

 

Check that delegation has been set up

We can run a PowerShell command to check how delegation has been configured.

You will need to know:

  • Whether the SquaredUp application pool is running as Network Service, or a domain service account.
  • Whether the System Center Data Access Service on the SCOM server is running as local system or a service account.
  • The relevant Distinguished Name (DN). If the SquaredUp application pool is running as Network Service then you will need the DN for the SquaredUp server name. If it is using a domain service account you will need the DN of that user account.

We will be running the next command on a domain controller, and you can find the Distinguished Name using PowerShell on a domain controller. For Network Service use Get-ADComputer SquaredUpServer, for a domain service account useGet-ADUser SquaredUpAccount. Alternatively, you can get the DN on a non-domain controller by running the relevant SETSPN command, either SETSPN -L SquaredUpServer or SETSPN -L SquaredUpAccount.

  1. On a domain controller click on the Start button type:

    powershell

  2. Right-click on the PowerShell icon and click Run as administrator.

    Get-ADObject "CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld" -Properties msDS-AllowedToDelegateTo

    Where CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld is the Distinguished Name (DN)

    You should have an output similar to the following:

    DistinguishedName : CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld
msDS-AllowedToDelegateTo : {MSOMSdkSvc/SCOMServerName.domain.tld, MSOMSdkSvc/SCOMServerName}
Name : SquaredUpServer
ObjectClass : computer
ObjectGUID : f044abee-7ea2-49c6-8704-de379fecd1d4
  3. Check the msDS-AllowedToDelegateTo line.

If the System Center Data Access Service on the SCOM server is running as local system then msDS-AllowedToDelegateTo should show the correct SCOM server.

If the System Center Data Access Service is running as a service account then msDS-AllowedToDelegateTo should show the service account.

This information maps to the Trust this user for delegation to specified services only checkbox.

Related articles