Users unable to logon when Kerberos constrained delegation configured
If users are being presented with the Dashboard Server logon screen see Troubleshooting users being unable to log on.
When users attempt to log on to Dashboard Server they receive a browser-based login prompt.
The following error is logged in the Dashboard Server log file (see Where to find log files):
[ERR] SCOM connectivity error: unauthorized System.UnauthorizedAccessException: The user does not have sufficient permission to perform the operation.
Dashboard Server accesses SCOM using the end user's credentials. When Windows authentication is being used and Dashboard Server is deployed on a dedicated server (not a SCOM server), the end user first authenticates with the SquaredUp server, and then the SquaredUp server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time is known as a 'double-hop' and requires Kerberos delegation to be configured correctly.
Kerberos delegation involves complex configuration. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly.
You may find that users logging on to Dashboard Server on a client, who have also logged on to the browser on the SquaredUp server itself, will authenticate successfully. This is because their session can still be live on the SquaredUp server, which means it is in effect now only a one hop authentication between the client and SCOM. This can cause confusion when diagnosing the issue.
Please follow the guide here User authentication methods for Dashboard Server SCOM Edition.
And run through the Troubleshooting Kerberos article.