Users unable to logon when Kerberos constrained delegation configured
When users attempt to log on to SquaredUp they receive a browser-based login prompt.
The following error is logged in the SquaredUp log file
[ERR] SCOM connectivity error: unauthorized System.UnauthorizedAccessException: The user does not have sufficient permission to perform the operation.
If users are being presented with the SquaredUp logon screen see Troubleshooting users being unable to log on.
SquaredUp accesses SCOM using the end user's credentials. When Windows authentication is being used and SquaredUp is deployed on a dedicated server (not a SCOM server), the end user first authenticates with the SquaredUp web server, and then the SquaredUp web server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time is known as a 'double-hop' and requires Kerberos delegation to be configured correctly.
Kerberos delegation involves complex configuration. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly.
You may find that users logging on to SquaredUp on a client, who have also logged on to the browser on the SquaredUp server itself, will authenticate successfully. This is because their session can still be live on the SquaredUp server, which means it is in effect now only a one hop authentication between the client and SCOM. This can cause confusion when diagnosing the issue.
Please follow the guide here How to configure Windows authentication.
And run through the Troubleshooting Kerberos article.