June 14, 2016

New HTML5 SSP for SCSM, Windows Authentication issue on dedicated server

On some reason, new Self-Service Portal (HTML5) doesn't authenticate user, if it was deployed on dedicated server without SCSM Management service on them...
In our case, additional management server can't (or won't) be installed, but some config manipulations in demo lab, showed to us, that SSP works correctly, if Kerberos delegation configure exactly like, for common ASP.NET application :)
General manipulations described here.

Our Additions, for SSP

- New VM with Windows Server 2012 R2, without SCSM management server
- Activated IIS Role
- Installed new SSP + all current updates

Step 1:
Check SPN for SCSM Service Account (in our case SCSM service account is: SANDBOX\scsmsvc)
Go to DC server and run command "setspn -L SANDBOX\scsmsvc":
SCSM01 – is our sandboxed first service management SCSM server, and SPN MSOMSdkSvc – must be here, also, here may be some other SPN, it is OK.
Warning: all SPN must be set by setspn.exe NOT ADSI attribute directly editing…
Set HTTP SPN for NetBIOS and FQDN names of our new Windows 2012 Server with SSP:
"setspn -A  http/scsmssp SANDBOX\scsmsvc"
"setspn -A  http/scsmssp.sandbox.local SANDBOX\scsmsvc"
Actually, there can be any other portal name, in our sandbox, we good with simple server name.
Step 2:
After SPN set, in AD console on Service Account user, must showed up Delegation Tab:
And in that TAB we need set “Trust this user for delegation to any service (Kerberos only)” or more strongly next bullet… (in our case, we OK with this middle bullet)
And, just in case, un-check this checkbox:

Step 3:
Go to our new Windows Server 2012 with HTML5 SSP, in IIS console
We need to check Application Pool for SSP, it need to be run from our SCSM Service Account (Identity)
If it not, change it in Advanced Settings

Check and set server authentication to ASP.NET Impersonation and Windows Authentication:
Go to Configuration Editor:
in this section "system.webServer/security/authentication/windowsAuthentication"
this setting must be configured like that:
and it is done, from another systems, authentication for SSP with domain user credentials working as expected: