How to configure Windows authentication when Squared Up is installed on load balanced servers

Due to the dependencies on Active Directory and Kerberos constrained delegation, Windows authentication can be difficult to configure and troubleshoot. Please follow these instructions carefully to ensure Windows authentication works without any issues in your environment. If you have any questions or need assistance, please contact Squared Up Support.

When to use this article

This article applies if:

  • You want to enable Windows authentication (single sign-on)
  • You have a two or more load balanced Squared Up web servers
  • Squared Up is not installed on SCOM management servers

If you want to configure Windows authentication in a different scenario, review How to configure Windows authentication to find the appropriate article.

Overview

Load Balancer Diagram

The diagram above shows two Squared Up servers, a Primary and a Secondary server, with a load balancer in front of them.

Squared Up accesses SCOM using the end user’s credentials. When Windows authentication is being used and Squared Up is deployed on a dedicated server, the end user first authenticates with the Squared Up web server, and then the Squared Up web server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time is known as a ‘double-hop’ and requires Kerberos delegation to be enabled.

Kerberos delegation is notoriously difficult to configure. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly. The rest of this article takes you through the configuration step-by-step.

For more information on Kerberos and how it operates, see here.

Prerequisites

  1. Squared Up has been installed and the initial configuration wizard (licensing etc) completed on all servers.

  2. High availability (HA) has been configured - see How to configure high availability

  3. The load balancer has been configured - see Tips for configuring a load balancer

Summary of steps

  1. Configure Squared Up to use a domain service account

  2. Enable Windows authentication using the Squared Up configuration tool

  3. Configure Kerberos constrained delegation

  4. Restart the Squared Up web servers

  5. Configure your web browsers to use Windows authentication

  6. Verify the configuration

1. Configure Squared Up to use a domain service account

When load balancing between Squared Up servers, the Squared Up application pool identity must be set to a domain service account, rather than the default of Network Service.

Follow the article How to check and modify the application pool identity to change the application pool identity from Network Service to a domain service account on each server.

2. Enable Windows authentication using the Squared Up configuration tool

Ensure both servers are using Windows authentication as described below. Modifying the configuration causes the web application to restart and all users will be logged off.

  1. On the Primary Squared Up server click on the Start button and type command prompt.

  2. Change directory to the instance for which you wish to change authentication, by typing the correct path, for example:

    cd c:\inetpub\wwwroot\squaredupv3\

  3. Type the following to enable Windows authentication:

    squaredup windows

  4. Repeat these steps to enable Windows authentication on the Secondary Squared Up server.

3. Configure Kerberos constrained delegation

Next we need to allow the Squared Up application to use the end user’s identity when connecting to SCOM. This is referred to as a ‘double-hop’ and requires Kerberos constrained delegation to be configured.

The following steps require changes to the Active Directory account used by the Squared Up application pool. This is referred to as the SquaredUpAccount in the steps below. It is important to know which account is used by Squared Up before proceeding. See How to check and modify the Application Pool Identity.

Verify and configure Service Principal Names (SPNs)

We need to create SPNs for the individual servers and for the load balanced address, for example lb-ha.

Think of SPNs as pseudo-accounts that represent a service endpoint, such as the Squared Up website. They allow Kerberos to authenticate between a real end user and a service. SPNs must be created for each address the user connects to, and must be associated with the actual account used by the service, in our case this is the Squared Up application pool identity. For more information on SPNs and how they work see here.

We can create the required SPNs by running commands from a command prompt on the domain controller, the domain account used must have SCOM admin permissions.

The HTTP service class that we use here for SPNs, differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class.

  1. On a domain controller, click on the Start button and type:

    command prompt

  2. Right-click on the Command Prompt icon and click Run as administrator.

  3. Type the following to set the SPN for each individual servers fully qualified domain name (FQDN):

    SETSPN -S HTTP/webserver1.domain.tld domain\SquaredUpAccount

    Where webserver1 should be replaced by the name of the server where Squared Up is installed, domain by your domain name, tld is the top level domain, and SquaredUpAccount is the domain service account that you set as the Squared Up application pool identity.

  4. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs

  5. Next type the following to set the SPN for each individual server short address:

    SETSPN -S HTTP/webserver1 domain\SquaredUpAccount

  6. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs

  7. Repeat the above steps for all other Squared Up web servers.

  8. Next, we’ll create the SPNs for the load balanced address.

    Type the following to set the SPN for the load balancer fully qualified domain name (FQDN):

    SETSPN -S HTTP/LoadBalancedAddress.domain.tld domain\SquaredUpAccount

    Where LoadBalancedAddress is the address you specified in DNS Manager, domain is your domain name, tld is the top level domain, and SquaredUpAccount is the domain service account that you set as the Squared Up application pool identity.

    For example:

    SETSPN -S HTTP/lb-ha.squpinternal.net squpinternal\CALBAppPool

  9. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs

  10. Next type the following to set the SPN for the load balancer short address:

    SETSPN -S HTTP/LoadBalancedAddress domain\SquaredUpAccount

  11. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs

  12. To check the SPNs are configured correctly type:

    SETSPN -L SquaredUpAccount

You should see at least 6 SPNs. Two that we have just set for the load balanced address, two for the Primary Squared Up server and two for the Secondary Squared Up server (and two for each other Squared Up server):

SETSPN -L SquaredUpIdentity

If you have another address that you use to browse to Squared Up, for example in your bindings or in DNS Manager, you should create two further SPNs, one for the the shorter address and another for the fully qualified domain name (FQDN).

Configure Kerberos constrained delegation in Active Directory

The next step is to enable the Squared Up application to use the end user’s identity when connecting to SCOM. This is referred to as a ‘double-hop’ and requires Kerberos constrained delegation to be configured.

To configure Kerberos constrained delegation:

  1. On a domain controller, open Active Directory Users and Computers.

  2. If the Squared Up application pool is configured to use NetworkService, then navigate to the computer account for the web server. For example domain\webserver1. If you have configured Squared Up to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup. See How to check and modify the Application Pool Identity

  3. Right-click and select Properties.

  4. Click on the Delegation tab.

    If the Delegation tab is not visible, first check that you are looking at the correct user or computer account, then check that the SPN has been set correctly for this user or computer as described above.

  5. Check Trust this user/computer for delegation to specified services only. (We could also set Trust this user/computer for delegation to any service, but this is less secure than defining a list of specified services.)

  6. Click Add, then Users or Computers.

  7. If the System Center Data Access Service is running as Local System, locate the SCOM server. If the System Center Data Access Service is running as a service account locate that service account. See Checking the System Center Data Access Service run as account

  8. From the list of available services click on MSOMSdkSvc.

    If the MSOMSdkSvc service is not available, first check that you are looking at the correct user or computer account, then check that the SCOM SPNs are correct, see Troubleshooting Kerberos

    Add Services MSOMSDKSvc

  9. Click OK, and then Apply.

    Delegation Tab

4. Restart the Squared Up web servers

At this point we strongly recommend restarting the Squared Up web servers to clear any cached account information.

5. Configure your web browsers to use Windows authentication

Your users’ web browsers must be configured to use Windows authentication when connecting to Squared Up.

The configuration depends on the browser.

Internet Explorer

By default, Internet Explorer is enabled to use Windows authentication for intranet sites only. If your users may connect to Squared Up using a fully qualified domain name (FQDN) (e.g. webserver1.domain.local) then you must add this to the list of intranet sites in Internet Explorer.

Please note that your domain settings may differ from the Internet Explorer defaults, so we recommend that you review the settings below.

  1. Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced

    Local Intranet

  2. Paste in the fully qualified domain name for your Squared Up server, and click Add, then Close, then OK.

  3. Click on Local intranet and then Custom level.

  4. Scroll to the bottom of the settings and verify that either of the following settings are enabled:

    • Automatic logon with current user name and password

    • Automatic logon only in Intranet zone

      Automatic Logon

If you prefer, you can add the sites to the local intranet sites on all clients using Group Policy, see:

Internet Explorer prompting for credentials - Windows authentication (Clint Boessen’s blog)

Chrome

By default, Chrome uses the Internet Explorer local intranet sites configuration. Follow the steps above.

In addition, Chrome requires that Kerberos constrained delegation is explicitly configured.

For more details, see The Chromium Projects - HTTP authentication

FireFox

Firefox requires explicit configuration to enable Windows authentication.

  1. Type about:config in the location bar.

  2. Type network.negotiate-auth.trusted-uris in the search box.

  3. Double-click on the setting returned and type the Squared Up server name and then the fully qualified domain name (FQDN) separated by a comma and a space. Do not include the http:// or https://

    network.negotiate-auth.trusted-uris

  4. Click OK.

  5. Repeat these steps for the network.negotiate-auth.delegation-uris setting.

6. Verify the configuration

Check that Squared Up is now accessible:

  1. Log on to a client machine as a SCOM user, using a different user account to that with which you are logged on to the Squared Up server. (Note that is must be a different account, otherwise Windows authentication may reuse your server logon session and it may appear to succeed even if Kerberos is misconfigured.)

  2. Browse to the load balanced address, for example from both http://lb-ha/SquaredUpv3 and http://lb-ha.domain.tld/SquaredUpv3

    Browsing to the FQDN on a web server is a known Microsoft bug, see HTTP 401.1 - Unauthorized: Logon Failed
  3. If Squared Up opens, check that graphs are shown. If they are not, check the Data Warehouse connection.

If you experience issues see Troubleshooting Kerberos.

Installing Squared Up for the first time

How to configure Windows authentication on a single dedicated server

How to configure Windows authentication

How to check and modify the application pool identity

How to configure high availability

Troubleshooting Kerberos

Kemp Free LoadMaster software download and Kemp Support

How to use SPNs when you configure Web applications that are hosted on Internet Information Services label: How to configure Windows authentication when Squared Up is installed on load balanced servers keywords: single sign on Kerberos constrained delegation constrained delegation Windows authentication Kerberos delegation Service principal name spn SPNs sso load balanced balancer rank: 9000