Objective: Setup either the Live Maps Web Console or Live Map Portal (our new HTML5 version) on a stand alone server using Windows Authentication using constrained delegation. Please do not follow this article if the portal is running on a mgmt server. Procedures detailed in this article may help for other scenarios. If you need any guidance, please contact support by emailing firstname.lastname@example.org.
Prerequisites: Live Maps Portal installed with Windows Authentication. This article was written with V7.5 and should work with installation of Live Maps V7+. For the sake of this article, it is setting up both the Live Maps Web Console and the Live Maps Unity Portal on the same server. Steps including in this article will be for both, with some sections indicated if it is only required for one or the other. Also it assumes you have read through the installation manuals and have meet minimum requirements including firewall issues.
Please Read the entire article before attempting to fix the issues. You many need to skip certain sections depending on your setup.
To fix the issue, it will require a user with permissions to set delegation in Active Directory as well as permissions to set SPNs.
It may seem that during the initial setup that the user is able to connect, but no one else. OR it works form the local server, but will not work from other computers. The problem is typically noticed after install when a user attempt to log into one of the Live Maps Web Consoles. In the case of the Live Maps Web Console, typically the user is prompted 3 times and then finally gets an Error 401. Also a user may find that it worked just after the initial install and then stopped working a little while later.
To correct this problem we must get past a Double Hop issue of Kerbersos. It also helps to understand the path that we take to authenticate. When a user connects to our Live Maps Web Console(s), it will in turn attempt to authenticate to the System Center Data Access Service on the management server. When the Live Maps Web Console is located on a separate server, then the service we are connecting to must have permission to delegate to the Data Access service. For Kerberos to work correctly everything must line up correctly. This document will attempt to help you connect the dots.
Operations Manager Setup
- From an Administrative CMD prompt type the following > setspn -Q */<servername of mgmt server>
- The servername should be the name of your mgmt server you have setup either Live Maps web consoles to connect to. The example below returned that the "msomsdksvc" SPNs are assigned to "CN=OM Data Access" User account. IF it doesn't find any existing SPNs, then proceed to step 4 under "To Fix SPNs on a Management Server".
- Verify if your System Center Data Access Service is running under a Domain User or Local System.
- setspn -D msomsdksvc/<Servername> <Servername>
- setspn -D msomsdksvc/<FQDN> <Servername>
3. List SPNs once again to verify the SPN have been removed from the server? setspn -L <Servername>
4. Next set the SPN to the Data Access service account by using the following commands.
- setspn -S msomsdksvc/<Servername> <Domain\DataAccessUser>
- setspn -S msomsdksvc/<FQDN> <Domain\DataAccessUser>
5. Finally another list to verify settings, this time for the data access user > setspn -L domain\user
NOTE: After making these changes you may experience a new alert in SCOM. Data Access Service SPN Not Registered. This is a bug in SCOM. Kevin Holman verifies this in his blog in the comments section. You can choose to ignore it or set an override to disable the alert.
Live Maps Web Server Setup
- Make sure that both App pools created during the install of the software are running under the same domain user. If not please set them to both run under the same domain user.
- Next verify that Windows Authentication is Enabled for each site. This is achieved from IIS Manager by either clicking on the website or the child application for Live Maps.
- Then on the in the middle section click on Authentication under IIS.
- Verify Windows Authentication is enabled. All others should be disabled.
- Right click on Windows Authentication and select Providers. Verify that "Negotiate" is listed first. This is the default setting, but it is always good to verify this step.
- From the Live Maps web site or child application, click on Configuration Editor under Management.
- Navigate to "system.webserver/security/authentication/windowsAuthentication"
- Set "useAppPoolCredentials" = True
- Once you have done this for both Live Maps Web sites( assuming you installed both), you can now exit IIS Manager and perform an IISRESET.
- setspn -Q HTTP/<Servername>
3. In our example, we currently don't have any SPNs for HTTP. Next is to add them to our App Pool Domain account.
NOTE: If you already have SPNs set for HTTP to another account(computer or user), verify they are not needed for another website before changing anything. This article assumes Live Maps is being installed on a stand alone server for Live Maps purposes only).
- setspn -S HTTP/<Servername> <Domain\App Pool User>
- setspn -S HTTP/<FQDN> <Domain\App Pool User>
- You will also need to set the SPN if you are using a friendly name to access the website. Example if you want to reference the website as http://livemaps.domain.name then you need to set the SPN > setspn -S HTTP/livemaps.domain.name <Domain\App Pool User>
Setting up Delegation
4. Click on "Add", then click on the "Users or Computers.." button.
5. Now this is the key, you must locate the DAS user account, then click on OK
6. Select the "msomsdksvc" for the mgmt server you are looking to connect the Live Maps Web Consoles too. Realize that you may see multiple servers registered to this account. If you want to allow Live Maps to connect to other Mgmt servers, then you can select all of them. Click on OK
7. Click on Apply then OK.
8. Repeat steps 4 through 7, except this time find the account running your MSSQLSvc. (this is only needed for the Live Maps Unity Portal).
9, When you are finished the Delegation tab should look something similar to this.
Browser Testing and Verification
It is recommended before testing from a different computer, that you conduct an IISRESET on the Live Maps web server. This typically clears out any Kerberos tickets that might have already been verified. Also log off and then back onto the different computer.