How to configure Windows authentication when Squared Up is installed on a single dedicated server

Due to the dependencies on Active Directory and Kerberos constrained delegation, Windows authentication can be difficult to configure and troubleshoot. Please follow these instructions carefully to ensure Windows authentication works without any issues in your environment. If you have any questions or need assistance, please contact Squared Up Support.

When to use this article

This article applies if:

  • You want to enable Windows authentication (single sign-on)
  • You have a single Squared Up web server (not load balanced)
  • Squared Up is not installed on a SCOM management server

If you want to configure Windows authentication in a different scenario, review How to configure Windows authentication to find the appropriate guidance.

Overview

Kerberos double hop diagram

Squared Up accesses SCOM using the end user’s credentials. When Windows authentication is being used and Squared Up is deployed on a dedicated server, the end user first authenticates with the Squared Up web server, and then the Squared Up web server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time is known as a ‘double-hop’ and requires Kerberos delegation to be enabled.

Kerberos delegation involves complex configuration. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly. The rest of this article takes you through the configuration step-by-step.

For more information on Kerberos and how it operates, see here.

Prerequisites

  1. Squared Up has been installed and the initial setup completed. See How to install Squared Up v3 for the first time.

  2. If desired, Squared Up has been configured to use a domain service account (this is optional, but if it is required then it must be configured before the following steps). See How to check and modify the application pool identity

Summary of steps

  1. Enable Windows authentication using the Squared Up configuration tool

  2. Enable ‘useAppPoolCredentials’ and ‘useKernelMode’ in IIS

  3. Configure Kerberos constrained delegation

  4. Restart the Squared Up web server

  5. Configure your web browsers to use Windows authentication

  6. Verify the configuration

1. Enable Windows authentication using the Squared Up configuration tool

The first step is to configure the IIS web application to use Windows authentication. This is performed automatically using the Squared Up configuration tool.

Modifying the configuration causes the web application to restart and all users will be logged off.
  1. On the Squared Up server click on the Start button and type command prompt.

  2. Change directory to the instance for which you wish to change authentication, by typing the correct path, for example:

    cd c:\inetpub\wwwroot\squaredupv3\

  3. Type the following to enable Windows authentication:

    squaredup windows

2. Enable ‘useAppPoolCredentials’ and ‘useKernelMode’ in IIS

In addition to the settings configured by the Squared Up configuration tool, we need to manually configure IIS to perform authentication using ‘kernel mode’ and to use the application pool identity when doing so.

  1. In IIS click on the SquaredUpv3 application.

  2. Double-click on Configuration Editor in the main panel.

  3. Click the Section drop down list at the top, and navigate to the following:

    system.webServer/security/authentication/windowsAuthentication

  4. Set useAppPoolCredentials to True and ensure useKernelMode is set to True

  5. Click Apply.

    Configuration Editor showing useAppPoolCredentials set to True

3. Configure Kerberos constrained delegation

Next we need to allow the Squared Up application to use the end user’s identity when connecting to SCOM. This is referred to as a ‘double-hop’ and requires Kerberos constrained delegation to be configured.

The following steps require changes to the Active Directory account used by the Squared Up application pool. This is referred to as the SquaredUpAccount in the steps below. It is important to know which account is used by Squared Up before proceeding. See How to check and modify the Application Pool Identity.

Verify and configure Service Principal Names (SPNs)

If you have configured a custom application pool identity (i.e. a domain service account) then you must add the necessary SPNs.

Think of SPNs as pseudo-accounts that represent a service endpoint, such as the Squared Up website. They allow Kerberos to authenticate between a real end user and a service. SPNs must be created for each address the user connects to, and must be associated with the actual account used by the service, in our case this is the Squared Up application pool identity. For more information on SPNs and how they work see here.

We can create the required SPNs by running commands from a command prompt on the domain controller, the domain account used must have SCOM admin permissions.

The HTTP service class that we use here for SPNs, differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class.

  1. On a domain controller, click on the Start button and type:

    command prompt

  2. Right-click on the Command Prompt icon and click Run as administrator.

  3. Type the following to set the SPN for the server fully qualified domain name (FQDN):

    SETSPN -S HTTP/webserver1.domain.tld domain\SquaredUpAccount

    webserver1 should be replaced by the name of the server where Squared Up is installed,domain by your domain name, tld is the top level domain, and SquaredUpAccount should be replaced by the Squared Up application pool identity.

    If the Squared Up application pool is configured to use NetworkService, then the SquaredUpAccount is the computer account for the web server. For example, if Squared Up is running on server webserver1.domain.local then use domain\webserver1.

    If you have configured Squared Up to use a domain service account then this account should be used. For example, if your domain service account is domain\svc-squaredup then use domain\svc-squaredup.

    If you are unsure which account Squared Up is configured to use, check the Squared Up application pool configuration.

  4. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs

  5. Next type the following to set the SPN for the server short address:

    setspn -S HTTP/webserver1 domain\SquaredUpAccount

  6. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs

If you have another address that you use to browse to Squared Up, for example in your bindings or in DNS Manager, you should create two further SPNs, one for the the shorter address and another for the fully qualified domain name (FQDN).

Configure Kerberos constrained delegation in Active Directory

The next step is to enable the Squared Up application to use the end user’s identity when connecting to SCOM. This is referred to as a ‘double-hop’ and requires Kerberos constrained delegation to be configured.

To configure Kerberos constrained delegation:

  1. On a domain controller, open Active Directory Users and Computers.

  2. If the Squared Up application pool is configured to use NetworkService, then navigate to the computer account for the web server. For example domain\webserver1. If you have configured Squared Up to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup. See How to check and modify the Application Pool Identity

  3. Right-click and select Properties.

  4. Click on the Delegation tab.

    If the Delegation tab is not visible, first check that you are looking at the correct user or computer account, then check that the SPN has been set correctly for this user or computer as described above.

  5. Check Trust this user/computer for delegation to specified services only. (We could also set Trust this user/computer for delegation to any service, but this is less secure than defining a list of specified services.)

  6. Click Add, then Users or Computers.

  7. If the System Center Data Access Service is running as Local System, locate the SCOM server. If the System Center Data Access Service is running as a service account locate that service account. See Checking the System Center Data Access Service run as account

  8. From the list of available services click on MSOMSdkSvc.

    If the MSOMSdkSvc service is not available, first check that you are looking at the correct user or computer account, then check that the SCOM SPNs are correct, see Troubleshooting Kerberos

    Add Services MSOMSdkSvc

  9. Click OK, and then Apply.

    Delegation Tab

4. Restart the Squared Up web server

At this point we strongly recommend restarting the Squared Up web server to clear any cached Active Directory account information.

5. Configure your web browsers to use Windows authentication

Your users’ web browsers must be configured to use Windows authentication when connecting to Squared Up.

The configuration required depends on the web browser.

Internet Explorer

By default, Internet Explorer is enabled to use Windows authentication for intranet sites only. If your users may connect to Squared Up using a fully qualified domain name (FQDN) (e.g. webserver1.domain.local) then you must add this to the list of intranet sites in Internet Explorer.

Please note that your domain settings may differ from the Internet Explorer defaults, so we recommend that you review the settings below.

  1. Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced

    Local Intranet

  2. Paste in the fully qualified domain name for your Squared Up server, and click Add, then Close, then OK.

  3. Click on Local intranet and then Custom level.

  4. Scroll to the bottom of the settings and verify that either of the following settings are enabled:

    • Automatic logon with current user name and password

    • Automatic logon only in Intranet zone

      Automatic Logon

If you prefer, you can add the sites to the local intranet sites on all clients using Group Policy, see:

Internet Explorer prompting for credentials - Windows authentication (Clint Boessen’s blog)

Chrome

By default, Chrome uses the Internet Explorer local intranet sites configuration. Follow the steps above.

In addition, Chrome requires that Kerberos constrained delegation is explicitly configured.

For more details, see The Chromium Projects - HTTP authentication

FireFox

Firefox requires explicit configuration to enable Windows authentication.

  1. Type about:config in the location bar.

  2. Type network.negotiate-auth.trusted-uris in the search box.

  3. Double-click on the setting returned and type the Squared Up server name and then the fully qualified domain name (FQDN) separated by a comma and a space. Do not include the http:// or https://

    network.negotiate-auth.trusted-uris

  4. Click OK.

  5. Repeat these steps for the network.negotiate-auth.delegation-uris setting.

7. Verify the configuration

Check that Squared Up is now accessible:

  1. Log on to a client machine as a SCOM user, using a different user account to that with which you are logged on to the Squared Up server. (Note that is must be a different account, otherwise Windows authentication may reuse your server logon session and it may appear to succeed even if Kerberos is misconfigured.)

    There are a couple of reasons not to test by browsing to Squared Up from the Squared Up server itself. Logging into Squared Up on the server won’t use Kerberos delegation because there is no longer a ‘double-hop’. Browsing to the FQDN on a web server is a known Microsoft bug, see HTTP 401.1 - Unauthorized: Logon Failed
  2. Browse to Squared Up, for example from both http://SquaredUpServer/SquaredUpv3 and http://SquaredUpServer.domain.tld/SquaredUpv3

  3. If Squared Up opens, check that graphs are shown. If they are not, check the Data Warehouse connection.

If you still experience issues see Troubleshooting Kerberos.

How to install Squared Up v3 for the first time

About authentication modes

How to configure Windows authentication when Squared Up is installed on a SCOM Management Server

How to configure Windows authentication when Squared Up is installed on load balanced servers

How to check and modify the application pool identity

Troubleshooting Kerberos label: How to configure Windows authentication when Squared Up is installed on a single dedicated server keywords: single sign on Kerberos constrained delegation constrained delegation windows authentication Kerberos delegation Service principal name spn SPNs sso iwa sso double hop SSO auth rank: 10000