User authentication methods for Dashboard Server SCOM Edition
A key decision when deploying Dashboard Server is how users will authenticate (log on). There are two authentication methods you can use for Dashboard Server:
Forms authentication (default)
Windows authentication
A single Dashboard Server instance (website) can be configured for either Forms authentication or Windows authentication, but not both.
To access Dashboard Server, a user must authenticate with their Windows credentials. These credentials are used to access SCOM and SCOM's role-based access control (RBAC) is used to determine which - if any - resources the user can access. For more information see User Management.
Tip: If you want to make dashboards available to users within your organization without requiring authentication, you can use Open Access dashboards. Open Access dashboards can be shared across the organization and viewed without users needing to authenticate, or to have any SCOM permissions. To learn more about Open Access see Sharing Dashboards with anyone - Open Access.
About Forms authentication
By default, Dashboard Server is installed with Forms authentication enabled. Forms authentication requires the user to enter his or her username and password to log on.
To use Forms authentication you do not need to make any changes after installation. If you have previously configured Windows authentication and want to switch back to Forms authentication see How to enable Forms authentication.
About Windows authentication
With Windows authentication enabled, the browser automatically authenticates to Dashboard Server using the user's Windows credentials. The user does not need to explicitly log on to the application.
Windows authentication is also known as Integrated Windows Authentication (IWA), Single Sign-On (SSO) and Pass Through Authentication.
In some scenarios, configuring Windows authentication can be more complex. If you are planning a new deployment of Dashboard Server and require Windows authentication, we recommend you install Dashboard Server on a SCOM management server.
How to enable Windows authentication
There are three different ways to enable Windows authentication depending on your environment. Jump to:
- How to enable Windows authentication when Dashboard Server is installed on a SCOM Management Server
- How to enable Windows authentication when Dashboard Server is installed on a single dedicated server
- How to enable Windows authentication when Dashboard Server is installed on multiple load balanced servers
How to enable Windows authentication when Dashboard Server is installed on a SCOM Management Server
Choose this option if Dashboard Server is deployed on a SCOM management server.
If you are planning a new deployment of Dashboard Server and require Windows authentication, we recommend you install Dashboard Server on a SCOM management server. This is the easiest setup to configure.
Make sure Dashboard Server has been installed and the initial configuration wizard (licensing etc) has been completed.
Enable Windows authentication using the Dashboard Server configuration script.
How to enable Windows authentication using the Dashboard Server configuration scriptModifying the configuration causes the web application to restart and all users will be logged off.
On the SquaredUp server click on the Start button and type:
command prompt
Change directory to the instance for which you wish to change authentication, by typing the correct path, for example:
cd c:\inetpub\wwwroot\SquaredUpv5\
orcd c:\inetpub\wwwroot\SquaredUpv4\
depending on your version of Dashboard Server.Type the following to enable Windows authentication, depending on your version of Dashboard Server:
squaredup5 windows
orsquaredup4 windows
Your browser, and other users' browsers, must be configured to use automatic logon for all your Dashboard Server URLs. The steps below describe how to configure the browser on each client (not on the server), you can test this in your own client's browser, then your organization should apply the settings to all users' browsers, perhaps using Group Policy.
Internet ExplorerAdd the fully qualified domain name (FQDN) of all SquaredUp servers e.g. webserver1.domain.local (and load balanced address if using) to the list of local intranet sites, and select automatic logon, as described below. These two settings prevent the browser logon box from popping up, and allow the Windows authentication logon to be used for Dashboard Server.
Please note that your domain settings may differ from the Internet Explorer defaults, so we recommend that you review the settings below.
Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced
Enter the fully qualified domain name (FQDN) for your SquaredUp server(s), and click Add, then Close, then OK.
When using multiple load balanced servers you must add the FQDN of each server, and also the load balanced address.
Click on Local intranet and then Custom level
Scroll to the bottom of the settings and verify that either of the following settings are enabled:
Automatic logon with current user name and password
Automatic logon only in Intranet zone
Click OK, then Yes, then OK.
Add the sites to the local intranet sites on ALL clients. (For example using Group Policy, see Internet Explorer prompting for credentials - Windows authentication (Clint Boessen's blog)).
ChromeBy default, Chrome uses the Internet Explorer local intranet sites configuration. Follow the steps for Internet Explorer.
In addition, Chrome requires that Kerberos constrained delegation is explicitly configured.
For more details, see The Chromium Projects - HTTP authentication
FirefoxFirefox requires explicit configuration to enable Windows authentication.
- Type
about:config
in the location bar. - Type
network.negotiate-auth.trusted-uris
in the search box. Double-click on the setting returned and type the SquaredUp server name and then the fully qualified domain name (FQDN) separated by a comma and a space. Do not include the http:// or https://
When using multiple load balanced servers you should add the FQDN of each server, and also the load balanced address.
- Click OK.
- Repeat these steps for the
network.negotiate-auth.delegation-uris
setting.
Verify the configuration.
How to verify the configurationCheck that Dashboard Server is now accessible:
- Log on to a client machine as a SCOM user, using a different user account to that with which you are logged on to the Dashboard Server server. (Note that it must be a different account, otherwise Windows authentication may reuse your server logon session and it may appear to succeed even if it is misconfigured).
Browse to Dashboard Server. Check the servers short address and the fully qualified domain name (FQDN):
http://SquaredUpServer/SquaredUpv5 and http://SquaredUpServer.domain.tld/SquaredUpv5
If you are using multiple servers, check the short and FQDN names for all servers, and also the load balanced address.
- If Dashboard Server opens, check that graphs are shown. If they are not, check the Data Warehouse connection (see Troubleshooting the Data Warehouse connection).
Please contact SquaredUp Support if you experience any problems and reply to the automatic response with the output of the Dashboard Server Diagnostics (see Collecting diagnostic information) and, if possible, a screenshot of the problem.
How to enable Windows authentication when Dashboard Server is installed on a single dedicated server
Choose this option if Dashboard Server is deployed on a dedicated server (i.e. not on a SCOM management server), and is not load balanced.
Due to the dependencies on Active Directory and Kerberos constrained delegation, Windows authentication can be difficult to configure and troubleshoot. Please follow these instructions carefully to ensure Windows authentication works without any issues in your environment. If you have any questions or need assistance, please contact SquaredUp Support.
SquaredUp accesses SCOM using the end user's credentials. When Windows authentication is being used and Dashboard Server is deployed on a dedicated server, the end user first authenticates with the SquaredUp server, and then the SquaredUp server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time, as the SquaredUp server impersonates the end user, is known as a 'double-hop' (the Windows credentials for the Client PC are sent to the SquaredUp server (hop 1), and then to the SCOM server (hop 2)) and this requires Kerberos delegation to be enabled.
Kerberos delegation involves complex configuration. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly. For more information on Kerberos and how it operates, see here.
Make sure Dashboard Server has been installed and the initial configuration wizard (licensing etc) has been completed.
If you want to use a domain service account for Dashboard Server, then it must be configured before the following steps. See How to check and modify the application pool identity.
Enable Windows authentication using the Dashboard Server configuration script.
How to enable Windows authentication using the Dashboard Server configuration scriptModifying the configuration causes the web application to restart and all users will be logged off.
On the SquaredUp server click on the Start button and type:
command prompt
Change directory to the instance for which you wish to change authentication, by typing the correct path, for example:
cd c:\inetpub\wwwroot\SquaredUpv5\
orcd c:\inetpub\wwwroot\SquaredUpv4\
depending on your version of Dashboard Server.Type the following to enable Windows authentication, depending on your version of Dashboard Server:
squaredup5 windows
orsquaredup4 windows
Enable 'useAppPoolCredentials' and 'useKernelMode' in IIS.
In addition to the settings configured by the Dashboard Server configuration script, we need to manually configure IIS to perform authentication using 'kernel mode' and to use the application pool identity when doing so.How to enable 'useAppPoolCredentials' and 'useKernelMode' in IIS.- In IIS click on the SquaredUp[Version Number application.
- Double-click on Configuration Editor in the main panel.
Click the Section drop down list at the top, and navigate to the following:
system.webServer/security/authentication/windowsAuthentication
- Set useAppPoolCredentials to True and ensure useKernelMode is set to True
Click Apply.
Configure Kerberos constrained delegation.
You need to allow the Dashboard Server application to use the end user's identity when connecting to SCOM. This sending of credentials (from Client PC to SquaredUp server to SCOM server) is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.The following steps require changes to the Active Directory account used by the Dashboard Server application pool. This is referred to as the SquaredUpAccount in the steps below. It is important to know which account is used by Dashboard Server before proceeding. See How to check and modify the application pool identity.
If you have configured a custom application pool identity (i.e. a domain service account) then you must add the necessary SPNs.
How to verify and configure Service Principal Names (SPNs)Think of SPNs as pseudo-accounts that represent a service endpoint, such as the Dashboard Server website. They allow Kerberos to authenticate between a real end user and a service. SPNs must be created for each address the user connects to, and must be associated with the actual account used by the service, in our case this is the Dashboard Server application pool identity. For more information on SPNs and how they work see here.
We can create the required SPNs by running commands from a command prompt on the domain controller, the domain account used must have SCOM admin permissions.
The HTTP service class that we use here for SPNs, differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class.
On a domain controller, click on the Start button and type:
command prompt
- Right-click on the Command Prompt icon and click Run as administrator.
Type the following to set the SPN for the server fully qualified domain name (FQDN):
SETSPN -S HTTP/webserver1.domain.tld domain\SquaredUpAccount
webserver1
should be replaced by the name of the server where Dashboard Server is installed,domain
by your domain name,tld
is the top level domain, andSquaredUpAccount
should be replaced by the Dashboard Server application pool identity.If the Dashboard Server application pool is configured to use NetworkService, then the
SquaredUpAccount
is the computer account for the web server. For example, if Dashboard Server is running on server webserver1.domain.local then use domain\webserver1.If you have configured Dashboard Server to use a domain service account then this account should be used. For example, if your domain service account is domain\svc-squaredup then use domain\svc-squaredup.
If you are unsure which account Dashboard Server is configured to use, check the Dashboard Server application pool configuration (see How to check and modify the application pool identity).
- Check that it shows
Updated Object
. If it showsDuplicate SPN found, aborting operation!
see Troubleshooting Duplicate SPNs. Next type the following to set the SPN for the server short address:
setspn -S HTTP/webserver1 domain\SquaredUpAccount
- Check that it shows
Updated Object
. If it showsDuplicate SPN found, aborting operation!
see Troubleshooting Duplicate SPNs.
If you have another address that you use to browse to Dashboard Server, for example in your bindings or in DNS Manager, you should create two further SPNs, one for the shorter address and another for the fully qualified domain name (FQDN).
How to create further SPNsIf you have another address you use to access Dashboard Server, for example a DNS alias or alternative binding, you should create two additional SPNs for this address, the shorter address and the fully qualified domain name (FQDN).
On a domain controller click on the Start button type:
Command Prompt
- Right-click on the Command Prompt icon and click Run as administrator
Type:
SETSPN -S HTTP/Hostname domain\SquaredUpAccount
Where
Hostname
is the address you specified in DNS Manager,domain
is your domain, andSquaredUpAccount
is the domain service account that you set as the Dashboard Server application pool identity.- Check that it shows
Updated Object
. If it showsDuplicate SPN found, aborting operation!
see Duplicate SPN found - Troubleshooting Duplicate SPNs. Once complete, type the following for the fully qualified domain name (FQDN):
SETSPN -S HTTP/Hostname.domain.tld domain\SquaredUpAccount
Where
tld
is the top level domain.- Check that it shows
Updated Object
. If it showsDuplicate SPN found, aborting operation!
see Duplicate SPN found - Troubleshooting Duplicate SPNs
For more information see Troubleshooting Kerberos.
The next step is to enable the Dashboard Server application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.
How to configure Kerberos constrained delegation in Active Directory Users and ComputersTo configure Kerberos constrained delegation in the Active Directory:
- On a domain controller, open Active Directory Users and Computers.
- If the Dashboard Server application pool is configured to use NetworkService, then navigate to the computer account for the web server. For example domain\webserver1. If you have configured Dashboard Server to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup. See How to check and modify the application pool identity).
- Right-click and select Properties.
Click on the Delegation tab.
If the Delegation tab is not visible, first check that you are looking at the correct user or computer account, then check that the SPN has been set correctly for this user or computer as described above.
- Check Trust this user/computer for delegation to specified services only. (We could also set Trust this user/computer for delegation to any service, but this is less secure than defining a list of specified services.)
- Click Add, then Users or Computers.
- If the System Center Data Access Service is running as Local System, locate the SCOM server. If the System Center Data Access Service is running as a service account locate that service account. See Checking the System Center Data Access Service run as account.
- From the list of available services click on MSOMSdkSvc.
If the MSOMSdkSvc service is not available, first check that you are looking at the correct user or computer account, then check that the SCOM SPNs are correct, see Troubleshooting Kerberos.
Click OK, and then Apply.
How to configure delegation using the Attribute Editor tab when using a group Managed Service Account (gMSA)These steps describe how to use the Attribute Editor tab in Active Directory Users and Computers to configure the delegation stage of Windows Authentication. This can be useful when using gMSA accounts for either the SquaredUp application pool account or the SCOM DAS account:
When using a group Managed Service Account (gMSA) for the SCOM Data Access Server Run As account you can't search for a gMSA when carrying out delegation, even though you're looking at the Delegate tab on the SquaredUp app pool identity.
When using a group Managed Service Account (gMSA) for the SquaredUp application pool identity the Delegate tab is not shown when looking at the properties of the gMSA that is the SquaredUp app pool identity.
Both these circumstances mean you need the procedure below to configure delegation.
SCOM 2019 UR1 and later supports group managed service accounts (gMSA) see Microsoft: Operations Manager 2019 UR1 Support for group managed service accounts and The Monitoring Guys: Implementing gMSA in SCOM 2019 UR1
The Attribute Editor allows another way to configure Kerberos delegation when it can't be done from the Delegation tab.
In Active Directory Users and Computers on a domain controller go to View and click on Advanced features. This will enable Advanced features and allow you to see the Attribute Editor tab.
In Active Directory Users and Computers browse to the SquaredUp server or app pool account as normal, depending on whether the app pool account is Network Service or a user account.
Instead of going to the Delegation tab, as you normally would, click on the Attribute Editor tab which is now visible.
Scroll down and click on the msDS-AllowedToDelegateTo attribute:
Click Edit.
Add two values, like in this screenshot, to match the SPNs you have configured, with the short and fully qualified domain name (FQDN) of your SCOM server.
Reboot the SquaredUp server for the changes to take effect.
If the SPNs have already been correctly configured to use the gMSA then single sign-on should work. If it doesn't work then you'll need to check the SPNs are configured correctly. The best way to do this is by running the Kerberos script see Troubleshooting Kerberos
Restart the SquaredUp server.
We strongly recommend restarting the SquaredUp server to clear any cached Active Directory account information.Your browser, and other users' browsers, must be configured to use automatic logon for all your Dashboard Server URLs. The steps below describe how to configure the browser on each client (not on the server), you can test this in your own client's browser, then your organization should apply the settings to all users' browsers, perhaps using Group Policy.
Internet ExplorerAdd the fully qualified domain name (FQDN) of all SquaredUp servers e.g. webserver1.domain.local (and load balanced address if using) to the list of local intranet sites, and select automatic logon, as described below. These two settings prevent the browser logon box from popping up, and allow the Windows authentication logon to be used for Dashboard Server.
Please note that your domain settings may differ from the Internet Explorer defaults, so we recommend that you review the settings below.
Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced
Enter the fully qualified domain name (FQDN) for your SquaredUp server(s), and click Add, then Close, then OK.
When using multiple load balanced servers you must add the FQDN of each server, and also the load balanced address.
Click on Local intranet and then Custom level
Scroll to the bottom of the settings and verify that either of the following settings are enabled:
Automatic logon with current user name and password
Automatic logon only in Intranet zone
Click OK, then Yes, then OK.
Add the sites to the local intranet sites on ALL clients. (For example using Group Policy, see Internet Explorer prompting for credentials - Windows authentication (Clint Boessen's blog)).
ChromeBy default, Chrome uses the Internet Explorer local intranet sites configuration. Follow the steps for Internet Explorer.
In addition, Chrome requires that Kerberos constrained delegation is explicitly configured.
For more details, see The Chromium Projects - HTTP authentication
FirefoxFirefox requires explicit configuration to enable Windows authentication.
- Type
about:config
in the location bar. - Type
network.negotiate-auth.trusted-uris
in the search box. Double-click on the setting returned and type the SquaredUp server name and then the fully qualified domain name (FQDN) separated by a comma and a space. Do not include the http:// or https://
When using multiple load balanced servers you should add the FQDN of each server, and also the load balanced address.
- Click OK.
- Repeat these steps for the
network.negotiate-auth.delegation-uris
setting.
Verify the configuration.
How to verify the configurationCheck that Dashboard Server is now accessible:
- Log on to a client machine as a SCOM user, using a different user account to that with which you are logged on to the Dashboard Server server. (Note that it must be a different account, otherwise Windows authentication may reuse your server logon session and it may appear to succeed even if it is misconfigured).
Browse to Dashboard Server. Check the servers short address and the fully qualified domain name (FQDN):
http://SquaredUpServer/SquaredUpv5 and http://SquaredUpServer.domain.tld/SquaredUpv5
If you are using multiple servers, check the short and FQDN names for all servers, and also the load balanced address.
- If Dashboard Server opens, check that graphs are shown. If they are not, check the Data Warehouse connection (see Troubleshooting the Data Warehouse connection).
Please contact SquaredUp Support if you experience any problems and reply to the automatic response with the output of the Dashboard Server Diagnostics (see Collecting diagnostic information) and, if possible, a screenshot of the problem.
How to enable Windows authentication when Dashboard Server is installed on multiple load balanced servers
Choose this option if Dashboard Server is deployed on two or more load balanced, dedicated servers and not installed on SCOM management servers.
The diagram above shows two SquaredUp servers, a Primary and a Secondary server, with a load balancer in front of them.
Dashboard Server accesses SCOM using the end user's credentials. When Windows authentication is being used and Dashboard Server is deployed on a dedicated server, the end user first authenticates with the SquaredUp server, and then the SquaredUp server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time is known as a 'double-hop' and requires Kerberos delegation to be enabled.
Kerberos delegation is notoriously difficult to configure. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly. For more information on Kerberos and how it operates, see here.
Make sure Dashboard Server has been installed and the initial configuration wizard (licensing etc) has been completed.
Make sure High availability (HA) has been configured (see Enabling High Availability).
Make sure the load balancer has been configured.
Configure Dashboard Server to use a domain service account.
When load balancing between SquaredUp servers, the Dashboard Server application pool identity must be set to a domain service account, rather than the default of Network Service. Follow the article How to check and modify the application pool identity to change the application pool identity from Network Service to a domain service account on each server.
Enable Windows authentication using the Dashboard Server configuration script.
How to enable Windows authentication using the Dashboard Server configuration scriptModifying the configuration causes the web application to restart and all users will be logged off.
On the SquaredUp server click on the Start button and type:
command prompt
Change directory to the instance for which you wish to change authentication, by typing the correct path, for example:
cd c:\inetpub\wwwroot\SquaredUpv5\
orcd c:\inetpub\wwwroot\SquaredUpv4\
depending on your version of Dashboard Server.Type the following to enable Windows authentication, depending on your version of Dashboard Server:
squaredup5 windows
orsquaredup4 windows
Configure Kerberos constrained delegation.
You need to allow the Dashboard Server application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.
The following steps require changes to the Active Directory account used by the Dashboard Server application pool. This is referred to as the SquaredUpAccount in the steps below. It is important to know which account is used by Dashboard Server before proceeding. See How to check and modify the application pool identity.
You need to create SPNs for the individual servers and for the load balanced address, for example
lb-ha
.How to create SPNsThink of SPNs as pseudo-accounts that represent a service endpoint, such as the Dashboard Server website. They allow Kerberos to authenticate between a real end user and a service. SPNs must be created for each address the user connects to, and must be associated with the actual account used by the service, in our case this is the Dashboard Server application pool identity. For more information on SPNs and how they work see here.
We can create the required SPNs by running commands from a command prompt on the domain controller, the domain account used must have SCOM admin permissions.
The HTTP service class that we use here for SPNs, differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class.
On a domain controller, click on the Start button and type:
command prompt
- Right-click on the Command Prompt icon and click Run as administrator.
Type the following to set the SPN for each individual servers fully qualified domain name (FQDN):
SETSPN -S HTTP/webserver1.domain.tld domain\SquaredUpAccount
Where
webserver1
should be replaced by the name of the server where Dashboard Server is installed,domain
by your domain name,tld
is the top level domain, andSquaredUpAccount
is the domain service account that you set as the Dashboard Server application pool identity.- Check that it shows
Updated Object
. If it showsDuplicate SPN found, aborting operation!
see Duplicate SPN found - Troubleshooting Duplicate SPNs. Next type the following to set the SPN for each individual server short address:
SETSPN -S HTTP/webserver1 domain\SquaredUpAccount
- Check that it shows
Updated Object
. If it showsDuplicate SPN found, aborting operation!
see Duplicate SPN found - Troubleshooting Duplicate SPNs. - Repeat the above steps for all other SquaredUp servers.
Next, we'll create the SPNs for the load balanced address.
Type the following to set the SPN for the load balancer fully qualified domain name (FQDN):
SETSPN -S HTTP/LoadBalancedAddress.domain.tld domain\SquaredUpAccount
Where
LoadBalancedAddress
is the address you specified in DNS Manager,domain
is your domain name,tld
is the top level domain, andSquaredUpAccount
is the domain service account that you set as the Dashboard Server application pool identity (see How to check and modify the application pool identity).For example:
SETSPN -S HTTP/lb-ha.squpinternal.net squpinternal\CALBAppPool
- Check that it shows
Updated Object
. If it showsDuplicate SPN found, aborting operation!
see Duplicate SPN found - Troubleshooting Duplicate SPNs. Next type the following to set the SPN for the load balancer short address:
SETSPN -S HTTP/LoadBalancedAddress domain\SquaredUpAccount
- Check that it shows
Updated Object
. If it showsDuplicate SPN found, aborting operation!
see Duplicate SPN found - Troubleshooting Duplicate SPNs. To check the SPNs are configured correctly type:
SETSPN -L SquaredUpAccount
You should see at least 6 SPNs. Two that we have just set for the load balanced address, two for the Primary SquaredUp server and two for the Secondary SquaredUp server (and two for each other SquaredUp server):
If you have another address that you use to browse to Dashboard Server, for example in your bindings or in DNS Manager, you should create two further SPNs, one for the shorter address and another for the fully qualified domain name (FQDN).
How to create further SPNsIf you have another address you use to access Dashboard Server, for example a DNS alias or alternative binding, you should create two additional SPNs for this address, the shorter address and the fully qualified domain name (FQDN).
On a domain controller click on the Start button type:
Command Prompt
- Right-click on the Command Prompt icon and click Run as administrator
Type:
SETSPN -S HTTP/Hostname domain\SquaredUpAccount
Where
Hostname
is the address you specified in DNS Manager,domain
is your domain, andSquaredUpAccount
is the domain service account that you set as the Dashboard Server application pool identity.- Check that it shows
Updated Object
. If it showsDuplicate SPN found, aborting operation!
see Duplicate SPN found - Troubleshooting Duplicate SPNs. Once complete, type the following for the fully qualified domain name (FQDN):
SETSPN -S HTTP/Hostname.domain.tld domain\SquaredUpAccount
Where
tld
is the top level domain.- Check that it shows
Updated Object
. If it showsDuplicate SPN found, aborting operation!
see Duplicate SPN found - Troubleshooting Duplicate SPNs
For more information see Troubleshooting Kerberos.
The next step is to enable the Dashboard Server application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.
How to configure Kerberos constrained delegation in Active Directory Users and ComputersTo configure Kerberos constrained delegation:
- On a domain controller, open Active Directory Users and Computers.
- As you have configured Dashboard Server to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup. See How to check and modify the application pool identity.
When load balancing between SquaredUp servers, the Dashboard Server application pool identity must be set to a domain service account, rather than the default of Network Service. Follow the article How to check and modify the application pool identity to change the application pool identity from Network Service to a domain service account on each server.
- Right-click and select Properties.
Click on the Delegation tab.
If the Delegation tab is not visible, first check that you are looking at the correct user or computer account, then check that the SPN has been set correctly for this user or computer as described above.
- Check Trust this user/computer for delegation to specified services only. (We could also set Trust this user/computer for delegation to any service, but this is less secure than defining a list of specified services.)
- Click Add, then Users or Computers.
- If the System Center Data Access Service is running as Local System, locate the SCOM server. If the System Center Data Access Service is running as a service account locate that service account. See Checking the System Center Data Access Service run as account.
- From the list of available services click on MSOMSdkSvc.
If the MSOMSdkSvc service is not available, first check that you are looking at the correct user or computer account, then check that the SCOM SPNs are correct, see Troubleshooting Kerberos.
Click OK, and then Apply.
How to configure delegation using the Attribute Editor tab when using a group Managed Service Account (gMSA)These steps describe how to use the Attribute Editor tab in Active Directory Users and Computers to configure the delegation stage of Windows Authentication. This can be useful when using gMSA accounts for either the SquaredUp application pool account or the SCOM DAS account:
When using a group Managed Service Account (gMSA) for the SCOM Data Access Server Run As account you can't search for a gMSA when carrying out delegation, even though you're looking at the Delegate tab on the SquaredUp app pool identity.
When using a group Managed Service Account (gMSA) for the SquaredUp application pool identity the Delegate tab is not shown when looking at the properties of the gMSA that is the SquaredUp app pool identity.
Both these circumstances mean you need the procedure below to configure delegation.
SCOM 2019 UR1 and later supports group managed service accounts (gMSA) see Microsoft: Operations Manager 2019 UR1 Support for group managed service accounts and The Monitoring Guys: Implementing gMSA in SCOM 2019 UR1
The Attribute Editor allows another way to configure Kerberos delegation when it can't be done from the Delegation tab.
In Active Directory Users and Computers on a domain controller go to View and click on Advanced features. This will enable Advanced features and allow you to see the Attribute Editor tab.
In Active Directory Users and Computers browse to the SquaredUp server or app pool account as normal, depending on whether the app pool account is Network Service or a user account.
Instead of going to the Delegation tab, as you normally would, click on the Attribute Editor tab which is now visible.
Scroll down and click on the msDS-AllowedToDelegateTo attribute:
Click Edit.
Add two values, like in this screenshot, to match the SPNs you have configured, with the short and fully qualified domain name (FQDN) of your SCOM server.
Reboot the SquaredUp server for the changes to take effect.
If the SPNs have already been correctly configured to use the gMSA then single sign-on should work. If it doesn't work then you'll need to check the SPNs are configured correctly. The best way to do this is by running the Kerberos script see Troubleshooting Kerberos
Restart the SquaredUp servers.
We strongly recommend restarting the SquaredUp servers to clear any cached account information.Your browser, and other users' browsers, must be configured to use automatic logon for all your Dashboard Server URLs. The steps below describe how to configure the browser on each client (not on the server), you can test this in your own client's browser, then your organization should apply the settings to all users' browsers, perhaps using Group Policy.
Internet ExplorerAdd the fully qualified domain name (FQDN) of all SquaredUp servers e.g. webserver1.domain.local (and load balanced address if using) to the list of local intranet sites, and select automatic logon, as described below. These two settings prevent the browser logon box from popping up, and allow the Windows authentication logon to be used for Dashboard Server.
Please note that your domain settings may differ from the Internet Explorer defaults, so we recommend that you review the settings below.
Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced
Enter the fully qualified domain name (FQDN) for your SquaredUp server(s), and click Add, then Close, then OK.
When using multiple load balanced servers you must add the FQDN of each server, and also the load balanced address.
Click on Local intranet and then Custom level
Scroll to the bottom of the settings and verify that either of the following settings are enabled:
Automatic logon with current user name and password
Automatic logon only in Intranet zone
Click OK, then Yes, then OK.
Add the sites to the local intranet sites on ALL clients. (For example using Group Policy, see Internet Explorer prompting for credentials - Windows authentication (Clint Boessen's blog)).
ChromeBy default, Chrome uses the Internet Explorer local intranet sites configuration. Follow the steps for Internet Explorer.
In addition, Chrome requires that Kerberos constrained delegation is explicitly configured.
For more details, see The Chromium Projects - HTTP authentication
FirefoxFirefox requires explicit configuration to enable Windows authentication.
- Type
about:config
in the location bar. - Type
network.negotiate-auth.trusted-uris
in the search box. Double-click on the setting returned and type the SquaredUp server name and then the fully qualified domain name (FQDN) separated by a comma and a space. Do not include the http:// or https://
When using multiple load balanced servers you should add the FQDN of each server, and also the load balanced address.
- Click OK.
- Repeat these steps for the
network.negotiate-auth.delegation-uris
setting.
Verify the configuration.
How to verify the configurationCheck that Dashboard Server is now accessible:
- Log on to a client machine as a SCOM user, using a different user account to that with which you are logged on to the Dashboard Server server. (Note that it must be a different account, otherwise Windows authentication may reuse your server logon session and it may appear to succeed even if it is misconfigured).
Browse to Dashboard Server. Check the servers short address and the fully qualified domain name (FQDN):
http://SquaredUpServer/SquaredUpv5 and http://SquaredUpServer.domain.tld/SquaredUpv5
If you are using multiple servers, check the short and FQDN names for all servers, and also the load balanced address.
- If Dashboard Server opens, check that graphs are shown. If they are not, check the Data Warehouse connection (see Troubleshooting the Data Warehouse connection).
Please contact SquaredUp Support if you experience any problems and reply to the automatic response with the output of the Dashboard Server Diagnostics (see Collecting diagnostic information) and, if possible, a screenshot of the problem.
How to enable Forms authentication
Forms authentication is enabled by default when Dashboard Server is installed. If you have previously configured Windows authentication and would like to switch back to Forms authentication, follow the instructions below.
Modifying the configuration causes the web application to restart and all users will be logged off.
Open a command prompt (cmd.exe) on the SquaredUp web server.
Navigate to the instance for which you wish to change authentication. By default for Dashboard Server v5 this is:
cd c:\inetpub\wwwroot\SquaredUpv5\
For Dashboard Server v4 the default location is
cd c:\inetpub\wwwroot\SquaredUpv4\
Then run
squaredup5 forms
For Dashboard Server v4 use:
squaredup4 forms
If you have previously configured SPNs or Kerberos constrained delegation settings in Active Directory, these can be reverted after switching to Forms authentication.