This article only applies to Squared Up Version 2.0. If you're looking for help with Squared Up Version 3.0, please visit our new knowledge base

If you have enabled Windows Integrated Authentication and Kerberos Constrained Delegation and experience problems follow the steps in this article.


First confirm where the problem is occuring.


Do you get an error browsing to Squared Up on the client?

If you log on to the (primary) Squared Up server and open a browser do you get an error browsing to Squared Up?

     If you have a secondary Squared Up server, do you get an error browsing to Squared Up on there?


1. Clear caches

1. To configure the changes you have made you need to restart the 'Windows Process Activation Service' on the Squared Up server. You can do this through Server Manager, Services > Windows Process Activation Service.

2. You will need to flush several caches, you can do this by running 'klist purge' from a command prompt on:

  • The SCOM management server
  • The Squared Up server
  • The client machine you are testing from.

2. Run the Squared Up Kerberos SPN Debugging Script

This PowerShell script will help to diagnose any Kerberos SPN issues. Run the PowerShell script on your Squared Up IIS server as a Domain User.


1. On your Squared Up server(s) download the diagnostic script package Debug-SquaredUpKerberos.zip. Extract its contents to a sensible location (e.g. c:\inetpub\wwwroot\squaredupv2\tools)


2. Open Windows PowerShell as an administrator (Click on the Start button and type Powershell > Right-click on Windows Powershell and click 'Run as Administrator')


3. Run the script by typing the location where you downloaded it to, for example:

C:\inetpub\wwwroot\SquaredUpv2\Tools\Debug-SquaredUpKerberos.ps1


3. Providers

1. Open IIS and expand 'Sites' and 'Default Web Site' and click on the Squared Up application (SquaredUpv2 or SquaredUpv3).

2. Double-click on 'Authentication' in the middle pane.

3. Right-click on Windows Authentication and select Providers.It should show 'Negotiate', and not 'Negotiate:Kerberos'. If you see 'Negotiate:Kerberos' please remove this, and add just 'Negotiate', so it looks like this:


image


4. Enable Kerberos logging

1. Follow the steps in this Microsoft article to enable Kerberos logging:

https://support.microsoft.com/en-us/help/262177/how-to-enable-kerberos-event-logging


2. Check Event Viewer on the Squared Up server, under Windows logs > System for any Kerberos related errors.


5. Check 'useAppPoolCredentials' is set to True

Enable the setting 'useAppPoolCredentials' in IIS as shown below:

1. In IIS Manager expand the website where Squared Up is installed.

2. Click on the Squared Up application.

3. In the middle pane double-click on Configuration Editor.

4. In the 'Section' drop down navigate to system.webServer/security/authentication/windowsAuthentication.

5. Set 'useAppPoolCredentials = true'

6. Ensure that this section is configured as shown below:

7. Select 'Apply'.


6. Check that the site has been added to the local intranet zone

We need to add the Squared Up server (and load balancer, if you are using one) to the local intranet zone, and check the user authentication logon option. The following steps indicate how to do this in each browser on the server.

Internet Explorer

1. Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced

2. Paste in the address for Squared Up, and click Add, then Close, then OK.

3. Click on 'Local intranet' and then 'Custom level'.

4. Scroll to the bottom of the settings and check that one of the following settings are enabled:

  • Automatic logon with current user name and password
  • Automatic logon only in Intranet zone

Chrome

1. Navigate to Settings > Show Advanced Settings > Network > Change Proxy Settings > Security > Local intranet > Sites > Advanced

2. Paste in the address for Squared Up, and click Add, then Close, then OK.

3. Click on Local intranet_ and then _Custom level_.

4. Scroll to the bottom of the settings and check that one of the following settings are enabled:

  • Automatic logon with current user name and password
  • Automatic logon only in Intranet zone

FireFox

Type `about:config` in the location bar, then double click on `network.automatic-ntlm-auth.trusted-uris`. For more information on this see the following article FireFox.


7. Check SPNs for browser to web server

a. Web server SPNs

If the Squared Up application pool identity is set to the default of NetworkService:


    Run the following:

setspn -Q host/<FQDN of the Squared Up web server>


    e.g.

setspn -Q host/squp01.mydomain.local


The first line of the result should show the computer account for the Squared Up web server.


If the Squared Up application pool identity is set to a domain user account:


1. Run 


setspn -s HTTP/SquaredUpServer MyDomain\SquaredUpIdentity


2. Run

setspn -s HTTP/SquaredUpServer.mydomain.net MyDomain\SquaredUpIdentity


b. Check IIS Kerberos settings


Open IIS Mgr and select Server > Default Web Site > SquaredUp > Authentication > Windows Authentication > Advanced Settings

Verify that 'Enable Kernel-mode authentication' is checked.


8. Check Kerberos Constrained Delegation settings for web server


Use IIS Manager to check the identity of the SquaredUp (or SquaredUpv2) application pool.


If the Squared Up application pool identity is set to the default of NetworkService:


Browse to the computer account for the Squared Up server in AD Users and Computers console.

To check the following properties:

Account > Properties > Delegation

> Trust this computer for delegation to the specified services only [checked]

> Use Kerberos only [checked]

> List should show 'MSOMSdkSvc' on the management server that Squared Up is configured to connect to. If not, click Add and browse to the SCOM management server and select MSOMSdkSvc


If the Squared Up application pool identity is set to a domain user account:


Browse to this user account in AD Users and Computers console.

To check the following properties:

Account > Properties > Delegation

> Trust this user/computer for delegation to the specified services only [checked]

> Use Kerberos only [checked]

> List should show 'MSOMSdkSvc' on the management server that Squared Up is configured to connect to. If not, click Add and browse to the SCOM management server and select MSOMSdkSvc


9. Check SPNs for web server to SCOM

Run the following:

setspn -Q MSOMSdkSvc/<mgmt server name>


e.g.

setspn -Q MSOMSdkSvc/<mgmt server name>


The first line of the result should show the service account that the System Center Data Access Service is running as.

On the management server, use the services control panel to verify the account the System Center Data Access Service is running as.



See also:

Kerberos Constrained Delegation | The user does not have sufficient permission to perform the operation

Kerberos Constrained Delegation - Setting up Single Sign-On

How to Set-Up Kerberos Constrained Delegation with a Load Balancer

How to sync dashboards between servers

Enable Integrated Windows Authentication