June 14, 2016

New HTML5 SSP for SCSM, Windows Authentication issue on dedicated server

 
On some reason, new Self-Service Portal (HTML5) doesn't authenticate user, if it was deployed on dedicated server without SCSM Management service on them...
In our case, additional management server can't (or won't) be installed, but some config manipulations in demo lab, showed to us, that SSP works correctly, if Kerberos delegation configure exactly like, for common ASP.NET application :)
General manipulations described here.

Our Additions, for SSP

Prep:
- New VM with Windows Server 2012 R2, without SCSM management server
- Activated IIS Role
- Installed new SSP + all current updates

Step 1:
Check SPN for SCSM Service Account (in our case SCSM service account is: SANDBOX\scsmsvc)
Go to DC server and run command "setspn -L SANDBOX\scsmsvc":
image
SCSM01 – is our sandboxed first service management SCSM server, and SPN MSOMSdkSvc – must be here, also, here may be some other SPN, it is OK.
Warning: all SPN must be set by setspn.exe NOT ADSI attribute directly editing…
Set HTTP SPN for NetBIOS and FQDN names of our new Windows 2012 Server with SSP:
"setspn -A  http/scsmssp SANDBOX\scsmsvc"
"setspn -A  http/scsmssp.sandbox.local SANDBOX\scsmsvc"
image
Actually, there can be any other portal name, in our sandbox, we good with simple server name.
Step 2:
After SPN set, in AD console on Service Account user, must showed up Delegation Tab:
image
And in that TAB we need set “Trust this user for delegation to any service (Kerberos only)” or more strongly next bullet… (in our case, we OK with this middle bullet)
And, just in case, un-check this checkbox:
image

Step 3:
Go to our new Windows Server 2012 with HTML5 SSP, in IIS console
image
We need to check Application Pool for SSP, it need to be run from our SCSM Service Account (Identity)
If it not, change it in Advanced Settings
image

Check and set server authentication to ASP.NET Impersonation and Windows Authentication:
image
Go to Configuration Editor:
image
in this section "system.webServer/security/authentication/windowsAuthentication"
image
this setting must be configured like that:
image
and it is done, from another systems, authentication for SSP with domain user credentials working as expected:
image



Tags: ,

7 comments:

  1. santhosh kumar20 December, 2016 01:38

    Nice blog Thanks for sharing
    Web Designing training in chennai

    ReplyDelete
  2. Денис Яркин20 December, 2016 02:19

    yourwelcome

    ReplyDelete
  3. Mark Boyer04 January, 2017 07:48

    Great post! I followed it and everything was working perfect for a day. Now I am either getting the SCSM default Error.cshtml page or it prompts for credentials. Any suggestions for me to try? Thanks!

    ReplyDelete
    Replies
    1. Денис Яркин05 January, 2017 23:38

      I suggest some of AD policy rewrite your settings, can you recheck it?

      Delete
  4. Mani23 March, 2018 01:25


    Wonderful post. I am learning so many things from your blog.keep posting.
    ETL Testing Online Training
    Hadoop online Training
    Informatica Online Training

    ReplyDelete
  5. Денис Яркин23 March, 2018 03:07

    thanks, we do our best...

    ReplyDelete
  6. sri krishna kumar02 April, 2018 23:45

    Very useful content
    Hadoop Training In Chennai | Sap MM Training In Chennai | ETL Testing Training In Chennai

    ReplyDelete

Subscribe to: Post Comments (Atom)