This article only applies to Squared Up Version 2.0. If you're looking for help with Squared Up Version 3.0, please visit our new knowledge base

If Squared Up is not installed on the SCOM server, and Integrated Windows Authentication (IWA) is enabled, then Kerberos Constrained Delegation needs to be configured.

If Kerberos is not configured then the client PC can authenticate with the Squared Up server using Kerberos, but then Squared Up cannot authenticate with SCOM using Kerberos as Squared Up is authenticating on behalf of the client to another server which is not allowed (as this is a two hop authentication).

If this is the problem you will see the following the Squared Up log file (c:\inetpub\wwwroot\SquaredUpv2\Log\rolling.log):

Microsoft.EnterpriseManagement.Common.UnauthorizedAccessMonitoringException: The user does not have sufficient permission to perform the operation. ---> System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.

You may find that users logging on to Squared Up on a client, who have also logged on to the browser on the Squared Up server itself, will authenticate successfully.  This is because their session can still be live on the Squared Up server, which means it is in effect now only a one hop authentication between the client and SCOM. This can cause confusion when diagnosing the issue.

To successfully authenticate across two hops the server that is hosting Squared Up has to be permitted in AD to act on behalf of another user. This is called Kerberos Constrained Delegation. Within the Active Directory on your Squared Up server:

 1. Select the server that is hosting Squared Up.

 2. Select properties, and click on the Delegation tab.

 3. Select "Trust this computer for delegation to specified services only."

 4. Press Add... then locate the server which is hosting SCOM.

 5. On that server select the server MSOMSdkSvc

 6. Press OK on "Add Services"

 7. Press OK on "<Squared Up Server> Properties"

Once this is configured, clients can then be authenticated on the Squared Up server and then again on behalf of the client to the SCOM server.

See also:

Enable Integrated Windows Authentication (single sign on)

Troubleshooting Kerberos Constrained Delegation