1 minute readApplies to: v4

Users unable to logon when Kerberos constrained delegation configured

Symptoms

When users attempt to log on to Squared Up they receive a browser-based login prompt.

Authentication required sample prompt <>

The following error is logged in the Squared Up log file c:\inetpub\wwwroot\SquaredUpv4\Transient\Log\:

[ERR] SCOM connectivity error: unauthorized System.UnauthorizedAccessException: The user does not have sufficient permission to perform the operation.

Cause

Squared Up accesses SCOM using the end user's credentials. When Windows authentication is being used and Squared Up is deployed on a dedicated server (not a SCOM server), the end user first authenticates with the Squared Up web server, and then the Squared Up web server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time is known as a 'double-hop' and requires Kerberos delegation to be configured correctly.

Kerberos delegation involves complex configuration. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly.

You may find that users logging on to Squared Up on a client, who have also logged on to the browser on the Squared Up server itself, will authenticate successfully. This is because their session can still be live on the Squared Up server, which means it is in effect now only a one hop authentication between the client and SCOM. This can cause confusion when diagnosing the issue.

Resolution

Please follow the guide here How to configure Windows authentication.

And run through the Troubleshooting Kerberos article.

How to configure Windows authentication

Troubleshooting Kerberos

Squared Up Ltd. (c) 2018Report an issue with this article