This article only applies to Squared Up Version 2.0. If you're looking for help with Squared Up Version 3.0, please visit our new knowledge base

Use this article if you have Windows Authentication configured and you wish to set up a load balancer.

You do not need to configure Kerberos Delegation if:

  • Forms Authentication (the default) is being used, because the logon details are 'passed through'. No further configuration is required.

The diagram above shows two Squared Up servers, a Primary and a Secondary server, using a load balancer.


In this article, we use the example of a KEMP load balancer, but the configuration will be similar for any load balancer. A KEMP load balancer is not a Windows machine; it needs static DNS entries for the load balancer management console and the Virtual Server. The Virtual Server is a listener on the load balancer that accepts incoming packets and then distributes the connection to “real” servers that are configured as part of the services.

Summary

Ensure Squared Up is installed and licensed on the Primary and Secondary servers.  See Getting Started - Installing Squared Up and Licensing Multi-server Deployments 


1. Download and install load balancer software

2. Enable sticky sessions

3. Choose Authentication

4. Create Service Principal Names (SPNs) for the load balanced address

5. Configure Delegation in Active Directory

6. Set 'useAppPoolCredentials' to True.

7. Add Trusted Intranet Site

8. Check ‘license-server-name’ setting

9. Shared/Sync Access to Squared Up Dashboards



1. Download and install the load balancer software 

1. Download the load balancer software.  The Kemp Free LoadMaster software can be downloaded from here.

2. Install and set-up the load balancer. For more information see Kemp Support. An installation guide should be included in your download to aid you.

For the Kemp load balancer, the configuration should now look similar to the following screenshots.

There should be one virtual service (VIP) and two real servers, set-up.

The real servers represent the addresses of the Primary and Secondary Squared Up instances. Your service should be set-up to allow round robin scheduling to both the primary and secondary servers.


The status of the real servers and VIP will be green when they are up and available. If they are down the status will change to Red and will show as being down.


The DNS entries should look similar to the following screenshot.


2. Enable persistent (sticky) sessions

Sticky sessions (sometimes called server affinity, session affinity or persistence) enable all requests from an individual client to be sent to the same server in a server farm. In this case, for the KEMP load balancer, persistence is not turned on by default, but it is an option configurable for each service.

If your application is running on only one server, you can use the standard ASP.NET Session State without any problems. However, if you want your application to run in a server-cluster/server-farm, then you need to make sure that either the Session State is available from all the servers or you use the "sticky sessions" feature of your load-balancer.


If you are having issues with persistent sessions perhaps you may need to switch to ‘cookie insert’ persistence type.


3. Choose Authentication 

We strongly advise you use Forms authentication when setting up a load balancer and configure single sign on later only if necessary.

However, if you wish to configure windows authentication (SSO) you need to set this up on both the primary and secondary servers.


To enable Integrated Windows Authentication:

  • Open a command prompt (cmd.exe) on the Squared Up web server
  • Run:
c:\inetpub\wwwroot\squaredupv2\tools\config.exe windows


When using a load balancer between Squared Up servers, you need to use a domain service account, instead of Network Service, as the Squared Up application pool. This is so that the same account is used on both servers so that there are no duplicate SPNs. When using a domain service account the delegation is carried out on the user object in the AD (not the computer object).


To see how to set this up How to configure Squared Up to use a Domain Service Account


4. Create Service Principal Names (SPNs) for the load balanced address

We need to create SPNs for the lb1 account as it will not have any SPNs currently associated with it. Normally the SPNs would be associated with the Squared Up webserver but as we are using a load balancer for this setup, the SPNs should be associated with the load balancer. For more information on SPNs and how they work see here. We can set this up this by running commands from a command prompt on the Domain Controller, the domain account used must have SCOM admin permissions.


1. From Start button type:

command prompt

2. Right click on the Command Prompt icon and click 'Run as administrator'.

3. Type:

setspn -s HTTP/lb1.<domain>.<tld> <domain>\<domain account>

4. Type:

setspn -s HTTP/lb1 <domain>\<domain account>



5. Configure Delegation in Active Directory

The next step is to enable the Squared Up application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.

To configure Kerberos constrained delegation:

1. On a domain controller, open 'Active Directory Users and Computers'.


2. If the Squared Up application pool is configured to use 'NetworkService', then navigate to the computer account for the web server. For example 'domain\webserver1'. If you have configured Squared Up to use a domain service account then navigate to this domain service account. For example, 'domain\svc-squaredup'. See How to check and modify the Application Pool Identity.

3. Right-click and select 'Properties'.

4. Click on the 'Delegation' tab.

If the 'Delegation' tab is not visible, first check that you are looking at the correct user or computer account, then check that the SPN has been set correctly for this user or computer as described above.

5. Check 'Trust this user/computer for delegation to specified services only'. (We could also set 'Trust this user/computer for delegation to any service', but this is less secure than defining a list of specified services.)

6. Click 'Add', then 'Users or Computers'.

7. If the System Center Data Access Service is running as 'Local System', locate the SCOM server. If the System Center Data Access Service is running as a service account locate that service account.

8. From the list of available services click on 'MSOMSdkSvc'.

    If the 'MSOMSdkSvc' service is not available, first check that you are looking at the correct user or computer account, then check that the SCOM SPNs are correct.


Add Services MSOMSDKSvc


9. Click 'OK', and then 'Apply'.



6.Set 'useAppPoolCredentials' and 'useKernelMode' to True

Enable the setting 'useAppPoolCredentials' in IIS as shown below:

1. In IIS Manager expand the website where Squared Up is installed.

2. Click on the Squared Up application.

3. In the middle pane double-click on Configuration Editor.

4. In the 'Section' drop down navigate to system.webServer/security/authentication/windowsAuthentication.

5. Set 'useAppPoolCredentials' to true

6. Set 'useKernelMode' to True

7. Ensure that this section is configured as shown below:

7. Select 'Apply'.


7. Add the site to the local intranet zone and check user authentication logon

We need to add the address of the load balancer to the local intranet zone, and check the user authentication logon option. The following steps indicate how to do this in each browser on the server.

Internet Explorer

1. Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced

2. Paste in the address for Squared Up, and click Add, then Close, then OK.

3. Click on 'Local intranet' and then 'Custom level'.

4. Scroll to the bottom of the settings and check that one of the following settings are enabled:

  • Automatic logon with current user name and password
  • Automatic logon only in Intranet zone

Chrome

1. Navigate to Settings > Show Advanced Settings > Network > Change Proxy Settings > Security > Local intranet > Sites > Advanced

2. Paste in the address for Squared Up, and click Add, then Close, then OK.

3. Click on Local intranet_ and then _Custom level_.

4. Scroll to the bottom of the settings and check that one of the following settings are enabled:

  • Automatic logon with current user name and password
  • Automatic logon only in Intranet zone

FireFox

Type `about:config` in the location bar, then double click on `network.automatic-ntlm-auth.trusted-uris`. For more information on this see the following article FireFox.


8. Check ‘license-server-name’ setting

Ensure the Secondary ‘license-server-name’ setting is set to the fully qualified domain name of the primary server. See Licensing Multi-server Deployments.

9. Shared/Sync Access to Squared Up Dashboards

In a load balanced Squared Up environment, you want to share dashboards between the Primary and Secondary instances to keep them in sync.  See How to sync dashboards between servers



The load balancer will load balance sessions to either the Primary or Secondary instance and you can see this through the Active Connections statistics information as shown below.


More information


More information about KEMP:

Persistence

Layer 7 Persistence Methods

Download the Kemp Free LoadMaster software

Kemp Support.


Squared Up customer Jasper Van Damme has written a detailed blog about he set up Squared Up for high availability:

https://dynamicdatacenter.wordpress.com/2015/09/01/setting-up-a-high-available-squaredup-webfarm/


If you are experiencing issues configuring Kerberos Constrained Delegation please see Troubleshooting Kerberos Constrained Delegation.


See also:

Kerberos Constrained Delegation - Setting up Single Sign-On

Troubleshooting Kerberos Constrained Delegation

Licensing Multi-server Deployments

How to sync dashboards between servers