This article only applies to Squared Up Version 2.0. If you're looking for help with Squared Up Version 3.0, please visit our new knowledge base

Overview

By default, Squared Up is installed with Forms Authentication enabled. If required, Squared Up can be configured to use Integrated Windows Authentication (IWA).

Forms Authentication

Forms Authentication requires a user to enter his or her username and password in order to log on to Squared Up. This enables Squared Up to make calls to remote servers using the identity of the logged-in user, which is required to connect to a remote SCOM management server.

Forms Authentication also enables users coming from clients that do not support Windows authentication - such as some mobile clients - to log on.

This is the default, and easiest configuration.

Windows Authentication

With Windows Authentication (also known as Integrated Windows Authentication (IWA) or Single Sign-On (SSO)) enabled, the browser automatically authenticates the user to Squared Up using their Windows credentials. The user does not need to explicitly log on to the application. This is sometimes called 'Single-Sign-On' because the user only has to log on once, to Windows.

If Squared Up is not installed on a SCOM management server then Kerberos Constrained Delegation must be configured for the Squared Up server in order to manage the 'double-hop'. See How to set up Single Sign-On using Kerberos Constrained Delegation and How to setup Kerberos Constrained Delegation with a load balancer.

For Open Access dashboards to work, anonymous authentication must be enabled whether you are using forms or windows authentication. If anonymous is disabled then Open Access features will not work as expected.  

Instructions

The configuration tool (config.exe) performs all of the necessary steps to enable Windows authentication:

Modifying the configuration causes the web application to restart and all users will be logged off.

To enable Integrated Windows Authentication:

  • Open a command prompt (cmd.exe) on the Squared Up web server
  • Run:
c:\inetpub\wwwroot\squaredupv2\tools\config.exe windows

If Squared Up is not installed on a SCOM management server then the Squared Up server must be configured for Kerberos Constrained Delegation. Kerberos Constrained Delegation enables Squared Up to authenticate to the SCOM management server as the end user. See How to set up Single Sign-On using Kerberos Constrained Delegation. For a high availability, web farm or load balancer setup see How to setup Kerberos Constrained Delegation with a load balancer

To re-enable Forms Authentication:

  • Open a command prompt (cmd.exe) on the Squared Up web server
  • Run:

c:\inetpub\wwwroot\squaredupv2\tools\config.exe forms


To Manually Configure Integrated Windows Authentication

The configuration tool (config.exe) above performs all of the necessary steps.  If however you wish to manually configure Integrated Windows Authentication you can follow the steps below:

1. In IIS Manager expand the website where Squared Up is installed.

2. Click on the Squared Up application.

3. In the middle pane double-click on Authentication.

4. Disable Forms Authentication. For Open Access dashboards to work, Anonymous Authentication must be enabled whether you are using forms or windows authentication. If anonymous is disabled then Open Access features will not work as expected.

5. Enable Windows Authentication.

6. Click on 'Advanced Settings' under Actions on the right.

7. Ensure 'Extended Protection' is set to Off.

8. Ensure 'Enable kernel-Mode Authentication' is On (ticked).

9. In the Providers list (under Actions on the right) ensure Negotiate is above NTLM using 'Move Up' and 'Move Down'. Negotiate allows the system to use the most secure available protocol, we want to ensure that NTLM is only used as a back-up. You can read more on this from here; Microsoft Negotiate.


10. Open web.config file found under C:/inetpub/wwwroot/SquaredUpv2

11. Set allow-anonymous to false

<add key="allow-anonymous" value="false" />

12. Set disable impersonation to false

<add key="disable-impersonation" value="false" />

 13. Remove any existing authentication block under system.web and add the following 

<authentication mode="Windows">
      <forms loginUrl="~/logon/index"/>
    </authentication> 

 14. Within system.web add the following  

<authorization>
      <deny users="?"/>
    </authorization> 

See also:

How to set up Single Sign-On using Kerberos Constrained Delegation

How to setup Kerberos Constrained Delegation with a load balancer

Troubleshooting Kerberos Constrained Delegation

401 - Unauthorized: Access is denied due to invalid credentials