Objective Setup either the Live Maps Web Console or Live Map Portal (our new HTML5 version) on a stand alone server using Windows Authentication using constrained delegation. Please do not follow this article if the portal is running on a mgmt server. Procedures detailed in this article may help for other scenarios. If you need any guidance, please contact support by emailing support@savision.com.

Prerequisites: Live Maps Portal installed with Windows Authentication. This article was written with V7.5 and should work with installation of Live Maps V7+. For the sake of this article, it is setting up both the Live Maps Web Console and the Live Maps Unity Portal on the same server. Steps including in this article will be for both, with some sections indicated if it is only required for one or the other. Also it assumes you have read through the installation manuals and have meet minimum requirements including firewall issues. 

Please Read the entire article before attempting to fix the issues. You many need to skip certain sections depending on your setup. 

To fix the issue, it will require a user with permissions to set delegation in Active Directory as well as permissions to set SPNs. 

It may seem that during the initial setup that the user is able to connect, but no one else. OR it works form the local server, but will not work from other computers. The problem is typically noticed after install when a user attempt to log into one of the Live Maps Web Consoles. In the case of the Live Maps Web Console, typically the user is prompted 3 times and then finally gets an Error 401. Also a user may find that it worked just after the initial install and then stopped working a little while later. 

If you are setting up the Live Maps Unity Portal,  a user may be prompted with the following error message. "The credentials you provided were incorrect or do not have sufficient privileges to connect to System Center Operations Manager."

To correct this problem we must get past a Double Hop issue of Kerbersos. It also helps to understand the path that we take to authenticate. When a user connects to our Live Maps Web Console(s), it will in turn attempt to authenticate to the System Center Data Access Service on the management server. When the Live Maps Web Console is located on a separate server, then the service we are connecting to must have permission to delegate to the Data Access service. For Kerberos to work correctly everything must line up correctly. This document will attempt to help you connect the dots. 

Operations Manager Setup 

  • From an Administrative CMD prompt type the following > setspn -Q */<servername of mgmt server>
    • The servername should be the name of your mgmt server you have setup either Live Maps web consoles to connect to. The example below returned that the "msomsdksvc" SPNs are assigned to "CN=OM Data Access" User account.   IF it doesn't find any existing SPNs, then proceed to step 4 under "To Fix SPNs on a Management Server".

  • Verify if your  System Center Data Access Service is running under a Domain User or Local System. 

Do the 2 results match up? Are the SPNs assigned to the same user running the Data Access Service or are the SPNs assigned to the Mgmt Server and the System Center Data Access Service running under Local System? 

If the answer is YES, then you can proceed to the section labeled SQL Server Setup. If the answer is NO, then please continue to fix this issue. 

To Fix SPNs on a Management Server

Instructions to fix a SPN can be found all over the web, but most of this article will show what they should be like based on Kevin Holman's System Center Blog post. This post will only take you through how to change a single mgmt server from a SPN assigned to the local computer to the domain user running the Data Access Service. Keep in mind that you may need do the opposite if your Data Access Service is running under Local System.

1.  Always verify current SPNs by listing out the current SPNs. > Setspn -L <servername of mgmt server>

2. You must delete any existing SPNs for the msomsdksvc. This can be done by the following commands.
  • setspn -D msomsdksvc/<Servername> <Servername>
  • setspn -D msomsdksvc/<FQDN> <Servername>

3. List SPNs once again to verify the SPN have been removed from the server? setspn -L <Servername>

4. Next set the SPN to the Data Access service account by using the following commands.

  • setspn -S msomsdksvc/<Servername> <Domain\DataAccessUser>
  • setspn -S msomsdksvc/<FQDN> <Domain\DataAccessUser>

5. Finally another list to verify settings, this time for the data access user > setspn -L domain\user

NOTE: After making these changes you may experience a new alert in SCOM. Data Access Service SPN Not Registered. This is a bug in SCOM. Kevin Holman verifies this in his blog in the comments section. You can choose to ignore it or set an override to disable the alert. 

Live Maps Web Server Setup

1. First we must configure IIS. 

  • Make sure that both App pools created during the install of the software are running under the same domain user. If not please set them to both run under the same domain user. 

  • Next verify that Windows Authentication is Enabled for each site. This is achieved from IIS Manager by either clicking on the website or the child application for Live Maps.
    • Then on the in the middle section click on Authentication under IIS. 
    • Verify Windows Authentication is enabled. All others should be disabled. 
    • Right click on Windows Authentication and select Providers. Verify that "Negotiate" is listed first. This is the default setting, but it is always good to verify this step. 
  • From the Live Maps web site or child application, click on Configuration Editor under Management.

  • Navigate to "system.webserver/security/authentication/windowsAuthentication" 

  • Set "useAppPoolCredentials" = True
  • Once you have done this for both Live Maps Web sites( assuming you installed both), you can now exit IIS Manager and perform an IISRESET.

2. First is to find out if there are any SPNs set for the HTTP( will also work for HTTPS) service by running the following commands from an administrator cmd prompt
  • setspn -Q HTTP/<Servername>

3. In our example, we currently don't have any SPNs for HTTP. Next is to add them to our App Pool Domain account. 

NOTE: If you already have SPNs set for HTTP to another account(computer or user), verify they are not needed for another website before changing anything. This article assumes Live Maps is being installed on a stand alone server for Live Maps purposes only). 

  • setspn -S HTTP/<Servername> <Domain\App Pool User>
  • setspn -S HTTP/<FQDN> <Domain\App Pool User>
  • You will also need to set the SPN if you are using a friendly name to access the website. Example if you want to reference the website as http://livemaps.domain.name then you need to set the SPN > setspn -S HTTP/livemaps.domain.name <Domain\App Pool User>

4. Verify your results by running a list. > setspn -L <Domain\App Pool User>

Setting up Delegation

It is better to setup a Constraint delegation so that we are only authorizing the delegation to a specific service instead of all computer services on every server. In this example we are continuing with the theme of delegating the Live Map Web Server to the Data Access service. To do this...

1. In AD, find the Domain App Pool User account, Right click and select Properties. 

2. Click on the Delegation Tab.

3. Select "Trust this computer for delegation to specified services only"  and leave it on "Use Kerberos only"

4. Click on "Add", then click on the "Users or Computers.." button.

5. Now this is the key, you must locate the DAS user account, then click on OK

6. Select the "msomsdksvc" for the mgmt server you are looking to connect the Live Maps Web Consoles too. Realize that you may see multiple servers registered to this account. If you want to allow Live Maps to connect to other Mgmt servers, then you can select all of them. Click on OK

7.  Click on Apply then OK. 

8. Repeat steps 4 through 7, except this time find the account running your MSSQLSvc. (this is only needed for the Live Maps Unity Portal). 

9, When you are finished the Delegation tab should look something similar to this. 

Browser Testing and Verification

It is recommended before testing from a different computer, that you conduct an IISRESET on the Live Maps web server. This typically clears out any Kerberos tickets that might have already been verified. Also log off and then back onto the different computer.

Please place the web server address in either your Trusted or Local Intranet Sites of IE. Keep in mind that typically Local Intranet site will allow for Single Sign On. Trusted Sites typically will prompt for user credentials. A lot of this depends on Group Policy and how your company may be setup. Initial testing should be done with Internet Explorer. After you know it is working with IE, you can test with different browsers. Each browser has its own requirement for Windows Authentication to work. Please keep that in mind.