This article only applies to Squared Up Version 2.0. If you're looking for help with Squared Up Version 3.0, please visit our new knowledge base

When to use this article

Use this article if you have Windows Authentication configured, Squared Up is not installed on the SCOM server, and when the Squared Up application pool identity is set to the default of NetworkService.


You do not need to configure Kerberos Delegation if:

  • Windows Authentication has been configured and Squared Up is installed on the SCOM server. No further configuration is required.
  • Forms Authentication (the default) is being used, because the logon details are 'passed through'. No further configuration is required.


Use alternative articles in these cases:


Overview

If Windows Authentication has been configured and Squared Up is not installed on the SCOM server, then Kerberos Delegation should be configured as described in this article. This is to allow the successful authentication across the two hops from the client to the Squared Up server then to the SCOM server (known as a 'double-hop'). This involves configuring SPNs and 'Delegation' in the Active Directory to allow Squared Up to delegate credentials to SCOM’s System Centre Data Access Service (MSOMSdkSvc).



Kerberos_diagram.svg

Kerberos is a protocol that defines how clients interact with a network authentication service. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client's network credentials. For more information on Kerberos and how it operates, see here. A Service Principal Name (SPN) must be registered within Active Directory, and this SPN assumes the role of the Key Distribution Center in a Windows domain. Once SPNs are registered they can map to the Windows account that started the SQL Server instance service.


The steps for configuring Kerberos Constrained Delegation on the Squared Up web server are the same as for the SCOM web console.


Ensure Squared Up is installed and licensed see Getting Started - Installing Squared Up.


Summary of Steps


1. Enable Integrated Windows Authentication.

2. Set 'useAppPoolCredentials' to True.

3. Configure Delegation.

4. Check Service Principal Names (SPNs).

5. Add the site to the local intranet zone and check user authentication logon

6. Clear caches


1. Enable Integrated Windows Authentication (if not already enabled)

To enable Integrated Windows Authentication:

  • Open a command prompt (cmd.exe) on the Squared Up web server
  • Run:
c:\inetpub\wwwroot\squaredupv2\tools\config.exe windows

For more information see Enable Integrated Windows Authentication

2. Set 'useAppPoolCredentials' to True

Enable the setting 'useAppPoolCredentials' in IIS as shown below:

1. In IIS Manager expand the website where Squared Up is installed.

2. Click on the Squared Up application.

3. In the middle pane double-click on Configuration Editor.

4. In the 'Section' drop down navigate to system.webServer/security/authentication/windowsAuthentication.

5. Set 'useAppPoolCredentials = true'

6. Ensure that this section is configured as shown below:

7. Select 'Apply'.

3. Configure Delegation

This article is based on the application pool identity being set to the NetworkService account.  If your application pool identity is set to a domain service account see How to configure Squared Up to use a domain service account.


Configure the System Centre Data Access Service (MSOMSdkSvc); this allows connection to SCOM data access service on behalf of the user logging on.

1. On the domain controller, open 'Active Directory Users and Computers', click on 'Computers', and then right-click on the Squared Up server and select 'Properties'.

2. Select the 'Delegation' tab.

3. Check 'Trust this computer for delegation to specified services only' (We could also set 'Trust this computer for delegation to any service', but this is less secure than defining a list of specified services.)

4. Click 'Add', then 'Users or Computers', and locate the SCOM server.

5. From the list of available services click on 'MSOMSdkSvc' and click 'OK'.



6. Click 'Apply'.

4. Check Service Principal Names

1. On the domain controller open Windows Powershell and run the following to check for SPNs on the IIS server running Squared Up:

 setspn -L <SquaredUpServerName>


For example:

 setspn -L SquaredUpServer


You should have an output similar to the following:


Registered ServicePrincipalNames for CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld:
    HOST/SquaredUpServer
    HOST/SquaredUpServer.domain.tld
    WSMAN/SquaredUpServer.domain.tld
    WSMAN/SquaredUpServer
    TERMSRV/SquaredUpServer.domain.tld
    TERMSRV/SquaredUpServer
    RestrictedKrbHost/SquaredUpServer
    RestrictedKrbHost/SquaredUpServer.domain.tld


2. Check that the following SPNs are listed:


HOST/SquaredUpServer
HOST/SquaredUpServer.domain.tld


Where `tld` is the top level domain.


3.  If these SPNs are not listed, go back to section 3 above 'Configure Delegation' and check the configuration.


4. To check that the delegation has all been set up, run the following PowerShell which shows which services the machine account is allowed to delegate to:


Get-ADObject "CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld" -Properties msDS-AllowedToDelegateTo


Where `CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld` is the Distinguished Name (DN) returned from the previous command.

You should have an output similar to the following:

    DistinguishedName : CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld
    msDS-AllowedToDelegateTo : {MSOMSdkSvc/SCOMServerName.domain.tld, MSOMSdkSvc/SCOMServerName}
    Name : SquaredUpServer
    ObjectClass : computer
    ObjectGUID : f044abee-7ea2-49c6-8704-de379fecd1d4


This information maps to the ‘Trust this user for delegation to specified services only’ checkbox.


More support on SPNs can be found here, How to use SPNs when you configure Web applications that are hosted on Internet Information Services.


For more information about SPNs please refer to the following Microsoft article https://technet.microsoft.com/en-us/library/cc961723.aspx

5. Add the site to the local intranet zone and check user authentication logon

We need to add the address of the Squared Up server to the local intranet zone, and check the user authentication logon option.
The following steps indicate how to do this in each browser on the server.

Internet Explorer

1. Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced

2. Paste in the address for Squared Up, and click Add, then Close, then OK.

3. Click on 'Local intranet' and then 'Custom level'.

4. Scroll to the bottom of the settings and check that one of the following settings are enabled:

  • Automatic logon with current user name and password
  • Automatic logon only in Intranet zone

Chrome

1. Navigate to Settings > Show Advanced Settings > Network > Change Proxy Settings > Security > Local intranet > Sites > Advanced

2. Paste in the address for Squared Up, and click Add, then Close, then OK.

3. Click on Local intranet_ and then _Custom level_.

4. Scroll to the bottom of the settings and check that one of the following settings are enabled:

  • Automatic logon with current user name and password
  • Automatic logon only in Intranet zone

FireFox

Type `about:config` in the location bar, then double click on `network.automatic-ntlm-auth.trusted-uris`. For more information on this see the following article FireFox.

6. Clear caches

1. To configure the changes you have made you need to restart the 'Windows Process Activation Service' >on the IIS server. You can do this through Server Manager, Services >  Windows Process Activation Service.

2. You will need to flush several caches, you can do this by running 'klist purge' in PowerShell or cmd on your SCOM management server, Squared Up machine, and your client machine.


If you are experiencing issues configuring Kerberos Constrained Delegation please see Troubleshooting Kerberos Constrained Delegation.


See also:

How to Set-Up Kerberos Constrained Delegation with a Load Balancer

How to sync dashboards between servers

Troubleshooting Kerberos Constrained Delegation

Enable Integrated Windows Authentication

How to configure Squared Up to use a domain service account

Distinguished Names