On some reason, new Self-Service Portal (HTML5) doesn't authenticate user, if it was deployed on dedicated server without SCSM Management service on them...
In our case, additional management server can't (or won't) be installed, but some config manipulations in demo lab, showed to us, that SSP works correctly, if Kerberos delegation configure exactly like, for common ASP.NET application :)
General manipulations described here.
Our Additions, for SSP
Prep:
- New VM with Windows Server 2012 R2, without SCSM management server
- Activated IIS Role
- Installed new SSP + all current updates
Step 1:
Check SPN for SCSM Service Account (in our case SCSM service account is: SANDBOX\scsmsvc)
Go to DC server and run command "setspn -L SANDBOX\scsmsvc":
SCSM01 – is our sandboxed first service management SCSM server, and SPN MSOMSdkSvc – must be here, also, here may be some other SPN, it is OK.
Warning: all SPN must be set by setspn.exe NOT ADSI attribute directly editing…
Set HTTP SPN for NetBIOS and FQDN names of our new Windows 2012 Server with SSP:
"setspn -A http/scsmssp SANDBOX\scsmsvc"
"setspn -A http/scsmssp.sandbox.local SANDBOX\scsmsvc"
"setspn -A http/scsmssp.sandbox.local SANDBOX\scsmsvc"
Actually, there can be any other portal name, in our sandbox, we good with simple server name.
Step 2:
After SPN set, in AD console on Service Account user, must showed up Delegation Tab:
And in that TAB we need set “Trust this user for delegation to any service (Kerberos only)” or more strongly next bullet… (in our case, we OK with this middle bullet)
And, just in case, un-check this checkbox:
Step 3:
Go to our new Windows Server 2012 with HTML5 SSP, in IIS console
We need to check Application Pool for SSP, it need to be run from our SCSM Service Account (Identity)
If it not, change it in Advanced Settings
Check and set server authentication to ASP.NET Impersonation and Windows Authentication:
Go to Configuration Editor:
in this section "system.webServer/security/authentication/windowsAuthentication"
this setting must be configured like that:
this setting must be configured like that:
and it is done, from another systems, authentication for SSP with domain user credentials working as expected:
Nice blog Thanks for sharing
ReplyDeleteWeb Designing training in chennai
yourwelcome
ReplyDeleteGreat post! I followed it and everything was working perfect for a day. Now I am either getting the SCSM default Error.cshtml page or it prompts for credentials. Any suggestions for me to try? Thanks!
ReplyDeleteI suggest some of AD policy rewrite your settings, can you recheck it?
Delete
ReplyDeleteWonderful post. I am learning so many things from your blog.keep posting.
ETL Testing Online Training
Hadoop online Training
Informatica Online Training
thanks, we do our best...
ReplyDeleteVery useful content
ReplyDeleteHadoop Training In Chennai | Sap MM Training In Chennai | ETL Testing Training In Chennai