This article only applies to Squared Up Version 2.0. If you're looking for help with Squared Up Version 3.0, please visit our new knowledge base

You may wish to set the Squared Up application pool to use a custom domain service account instead of the default NetworkService account.

Summary

Ensure Squared Up is installed and licensed, see Getting Started - Installing Squared Up.

1. Change the Application Pool Identity

2. Check authentication

3. Enable 'useAppPoolCredentials'

4. Configure Kerberos Constrained Delegation

a. Create Service Principal Names (SPNs)

b. Configure Delegation in Active Directory

5. Add the site to the local intranet zone and check user authentication logon

6. Clear caches

1. Change the Application Pool Identity and Apply permissions

Along with changing the application pool identity, it is essential that you run the Squared Up configuration tool to give the new application pool identity write permissions to the Squared Up directories, and give the new identity access to the data warehouse. These steps are described in the article Checking and modifying the application pool identity.


2. Check Authentication

If you are using the default of forms authentication, the simplest option, then no further configuration is necessary.

If you wish to use single sign-on, then you should configure windows authentication as described below, and then complete the steps in the rest of the article to allow it to work.


To enable Integrated Windows Authentication:

  • Open a command prompt (cmd.exe) on the Squared Up web server
  • Run:
c:\inetpub\wwwroot\squaredupv2\tools\config.exe windows

For more information see Enable Integrated Windows Authentication (Single-Sign-On)


3. Set 'useAppPoolCredentials' and 'useKernelMode' to True

When using Windows Authentication you need to set 'useAppPoolCredentials' and 'useKernelMode' to True:


1. In IIS Manager expand the website where Squared Up is installed.

2. Click on the Squared Up application.

3. In the middle pane double-click on Configuration Editor.

4. In the 'Section' drop down navigate to system.webServer/security/authentication/windowsAuthentication.

5. Set 'useAppPoolCredentials' to true

6. Set 'useKernelMode' to True

7. Click 'Apply'.

4. Configure Kerberos Constrained Delegation


If you are using Windows Authentication and Squared Up is not installed on the SCOM server you should follow the instructions below to configure Kerberos Delegation. This is to allow the successful authentication across the two hops from the client to the Squared Up server then to the SCOM server. This involves configuring SPNs and Delegation in the Active Directory to allow Squared Up to delegate credentials to SCOM’s System Centre Data Access Service (MSOMSdkSvc).


You do not need to configure Kerberos Delegation if:

  • Windows Authentication has been configured and Squared Up is installed on the SCOM server. No further configuration is required.
  • Forms Authentication (the default) is being used, because the logon details are 'passed through'. No further configuration is required.


A. Configure Service Principal Names (SPNs) 

When using a domain service account for the Squared Up application pool identity it is necessary to add SPNs to that account. For more information on SPNs and how they work see here. In the following example SPNs are created for a combination of domain user account 'MyDomain\SquaredUpIdentity' and computer account 'SquaredUpServer.mydomain.net'


1. From Start button type:

command prompt


2. Right click on the Command Prompt icon and click 'Run as administrator'.


3. Type:

setspn -s HTTP/SquaredUpServer MyDomain\SquaredUpIdentity


Where 'SquaredUpIdentity' is the username of the domain service account which is set as the Squared Up Application Pool identity, and where 'SquaredUpServer' is the name of the server where Squared Up is installed.


4. Then type:

setspn -s HTTP/SquaredUpServer.mydomain.net MyDomain\SquaredUpIdentity


Where 'SquaredUpIdentity' is the username of the domain service account which is set as the Squared Up Application Pool identity, and where 'SquaredUpServer.mydomain.net' is the Fully Qualified Domain Name of the server where Squared Up is installed.


B. Configure Delegation in Active Directory

Next we must configure Delegation in Active Directory to allow the Squared Up application pool identity to delegate credentials to SCOM.


1. On your domain controller open Active Directory Users and Computers.

2. Browse to Users, right-click on the user you have set as the Squared Up application pool identity and select Properties.

3. Select the Delegation tab. If the Delegation tab is missing, it means that the SPN has not been set correctly for this user, see the section above.

4. Check ‘Trust this user for delegation to specified services only’ (We could also set ‘Trust this user for delegation to any service’, but this is less secure than defining a list of specified services.)

5. Click Add, then Users or Computers, and locate the SCOM server.

6. From the list of available services click on ‘MSOMSdkSvc’ and click OK.


blob1476872160006.png

7. Click Apply.

blob1476871907945.png


5. Add the site to the local intranet zone and check user authentication logon

We need to add the load balanced address to the local intranet zone, and check the user authentication logon option. The following steps indicate how to do this in each browser for testing.


To get this setting on every client machine you will need to add the sites to the local Intranet sites on all clients using Group Policy, see http://clintboessen.blogspot.co.uk/2013/09/ie-10-prompting-for-credentials-windows.html


Internet Explorer

1. Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced

2. Paste in the address for Squared Up, and click Add, then Close, then OK.

3. Click on 'Local intranet' and then 'Custom level'.

4. Scroll to the bottom of the settings and check that one of the following settings are enabled:

  • Automatic logon with current user name and password
  • Automatic logon only in Intranet zone

Chrome

1. Navigate to Settings > Show Advanced Settings > Network > Change Proxy Settings > Security > Local intranet > Sites > Advanced

2. Paste in the address for Squared Up, and click Add, then Close, then OK.

3. Click on Local intranet_ and then _Custom level_.

4. Scroll to the bottom of the settings and check that one of the following settings are enabled:

  • Automatic logon with current user name and password
  • Automatic logon only in Intranet zone

FireFox

Type `about:config` in the location bar, then double click on `network.automatic-ntlm-auth.trusted-uris`. For more information on this see the following article FireFox.


6. Clear caches

1. To configure the changes you have made you need to restart the 'Windows Process Activation Service' >on the IIS server. You can do this through Server Manager, Services >  Windows Process Activation Service.

2. You will need to flush several caches, you can do this by running 'klist purge' in PowerShell or cmd on your SCOM management server, Squared Up machine, and your client machine.


If you are experiencing issues configuring Kerberos Constrained Delegation please see Troubleshooting Kerberos Constrained Delegation.


See also:

How to set up Single Sign-On using Kerberos Constrained Delegation

Troubleshooting Kerberos Constrained Delegation

Licensing Multi-server Deployments

How to sync dashboards between servers

How to setup Kerberos Constrained Delegation with a load balancer