On some reason, new Self-Service Portal (HTML5) doesn't authenticate user, if it was deployed on dedicated server without SCSM Management service on them...
In our case, additional management server can't (or won't) be installed, but some config manipulations in demo lab, showed to us, that SSP works correctly, if Kerberos delegation configure exactly like, for common ASP.NET application :)
General manipulations described here.
Our Additions, for SSP
Prep:
- New VM with Windows Server 2012 R2, without SCSM management server
- Activated IIS Role
- Installed new SSP + all current updates
Step 1:
Check SPN for SCSM Service Account (in our case SCSM service account is: SANDBOX\scsmsvc)
Go to DC server and run command "setspn -L SANDBOX\scsmsvc":
SCSM01 – is our sandboxed first service management SCSM server, and SPN MSOMSdkSvc – must be here, also, here may be some other SPN, it is OK.
Warning: all SPN must be set by setspn.exe NOT ADSI attribute directly editing…
Set HTTP SPN for NetBIOS and FQDN names of our new Windows 2012 Server with SSP:
"setspn -A http/scsmssp SANDBOX\scsmsvc"
"setspn -A http/scsmssp.sandbox.local SANDBOX\scsmsvc"
"setspn -A http/scsmssp.sandbox.local SANDBOX\scsmsvc"
Actually, there can be any other portal name, in our sandbox, we good with simple server name.
Step 2:
After SPN set, in AD console on Service Account user, must showed up Delegation Tab:
And in that TAB we need set “Trust this user for delegation to any service (Kerberos only)” or more strongly next bullet… (in our case, we OK with this middle bullet)
And, just in case, un-check this checkbox:
Step 3:
Go to our new Windows Server 2012 with HTML5 SSP, in IIS console
We need to check Application Pool for SSP, it need to be run from our SCSM Service Account (Identity)
If it not, change it in Advanced Settings
Check and set server authentication to ASP.NET Impersonation and Windows Authentication:
Go to Configuration Editor:
in this section "system.webServer/security/authentication/windowsAuthentication"
this setting must be configured like that:
this setting must be configured like that:
and it is done, from another systems, authentication for SSP with domain user credentials working as expected:
Nice blog Thanks for sharing
ReplyDeleteWeb Designing training in chennai
yourwelcome
ReplyDeleteGreat post! I followed it and everything was working perfect for a day. Now I am either getting the SCSM default Error.cshtml page or it prompts for credentials. Any suggestions for me to try? Thanks!
ReplyDeleteI suggest some of AD policy rewrite your settings, can you recheck it?
Delete
ReplyDeleteWonderful post. I am learning so many things from your blog.keep posting.
ETL Testing Online Training
Hadoop online Training
Informatica Online Training
thanks, we do our best...
ReplyDeleteVery useful content
ReplyDeleteHadoop Training In Chennai | Sap MM Training In Chennai | ETL Testing Training In Chennai
Very good ideas! Amazing concept and gain more updates to your blog. Thank you.
ReplyDeleteSpoken English Classes in Chennai
Best Spoken English Classes in Chennai
Spoken English Class in Chennai
Spoken English in Chennai
Best Spoken English Class in Chennai
There are an a wide range of sorts of web facilitating administrations accessible for organizations and people nowadays. Finding the administration fitting for your necessities takes an evaluation of the different facilitating administrations so as to arrange the alternatives according to what you require. https://1gbits.com/dedicated-server-hosting/
ReplyDeleteWeb facilitating is the business routine with regards to giving space and data transmission on a powerful PC server that is associated with the Internet at extremely high speeds. Facilitating organizations keep up extensive systems of powerful web server PCs in a physical area known as a server farm. buy web hosting
ReplyDeleteДенис, буду рад твоему совету по настройке SCSM.
ReplyDeleteВ настоящий момент наблюдается проблема с аутентификацией.
Дано:
Сервер 1 - Primary MS, WF
Сервер 2 - Additional MS, SSP
Сервер 3 - Additional MS, SSP
Сервер 4 - Additional MS
Сервер 5 - Additional MS
SSP работает по SSL.
Сервер 2 и 3 настроены для балансировки портала по SSL. (netscaller)
Пользователи могут аутентифицироваться на SSP, если обращаются по имени сервера. (https://servername/)
Пользователи не могут аутентифицироваться на SSP, если обращаются по общему имени (https://sd). Появляется окно аутентификации, после ввода учетных данных в которого, сервер сообщает о том, что аутентификации не удается.
Настройки аутентификации в IIS не изменялись. С SPN вроде все в порядке.
We porvide you quality item which you buy on a single click in Auckland New Zealand. Treasurebox nz is one of the most rising store which provide their customers all the items at low rates.
ReplyDeleteHome Mart is a site about Home Improvement, Furniture, Home Appliances and many more.
ReplyDeleteCheck out the best
bedroom furniture nz
entertainment unit