June 14, 2016

New HTML5 SSP for SCSM, Windows Authentication issue on dedicated server

On some reason, new Self-Service Portal (HTML5) doesn't authenticate user, if it was deployed on dedicated server without SCSM Management service on them...
In our case, additional management server can't (or won't) be installed, but some config manipulations in demo lab, showed to us, that SSP works correctly, if Kerberos delegation configure exactly like, for common ASP.NET application :)
General manipulations described here.

Our Additions, for SSP

- New VM with Windows Server 2012 R2, without SCSM management server
- Activated IIS Role
- Installed new SSP + all current updates

Step 1:
Check SPN for SCSM Service Account (in our case SCSM service account is: SANDBOX\scsmsvc)
Go to DC server and run command "setspn -L SANDBOX\scsmsvc":
SCSM01 – is our sandboxed first service management SCSM server, and SPN MSOMSdkSvc – must be here, also, here may be some other SPN, it is OK.
Warning: all SPN must be set by setspn.exe NOT ADSI attribute directly editing…
Set HTTP SPN for NetBIOS and FQDN names of our new Windows 2012 Server with SSP:
"setspn -A  http/scsmssp SANDBOX\scsmsvc"
"setspn -A  http/scsmssp.sandbox.local SANDBOX\scsmsvc"
Actually, there can be any other portal name, in our sandbox, we good with simple server name.
Step 2:
After SPN set, in AD console on Service Account user, must showed up Delegation Tab:
And in that TAB we need set “Trust this user for delegation to any service (Kerberos only)” or more strongly next bullet… (in our case, we OK with this middle bullet)
And, just in case, un-check this checkbox:

Step 3:
Go to our new Windows Server 2012 with HTML5 SSP, in IIS console
We need to check Application Pool for SSP, it need to be run from our SCSM Service Account (Identity)
If it not, change it in Advanced Settings

Check and set server authentication to ASP.NET Impersonation and Windows Authentication:
Go to Configuration Editor:
in this section "system.webServer/security/authentication/windowsAuthentication"
this setting must be configured like that:
and it is done, from another systems, authentication for SSP with domain user credentials working as expected:


  1. Replies
    1. IEEE Final Year projects Project Center in Chennai are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes. Final Year Project Domains for IT

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, project projects for cse. Angular Training

  2. Great post! I followed it and everything was working perfect for a day. Now I am either getting the SCSM default Error.cshtml page or it prompts for credentials. Any suggestions for me to try? Thanks!

    1. I suggest some of AD policy rewrite your settings, can you recheck it?

  3. thanks, we do our best...

  4. There are an a wide range of sorts of web facilitating administrations accessible for organizations and people nowadays. Finding the administration fitting for your necessities takes an evaluation of the different facilitating administrations so as to arrange the alternatives according to what you require. https://1gbits.com/dedicated-server-hosting/

  5. Web facilitating is the business routine with regards to giving space and data transmission on a powerful PC server that is associated with the Internet at extremely high speeds. Facilitating organizations keep up extensive systems of powerful web server PCs in a physical area known as a server farm. buy web hosting

  6. Денис, буду рад твоему совету по настройке SCSM.
    В настоящий момент наблюдается проблема с аутентификацией.
    Сервер 1 - Primary MS, WF
    Сервер 2 - Additional MS, SSP
    Сервер 3 - Additional MS, SSP
    Сервер 4 - Additional MS
    Сервер 5 - Additional MS
    SSP работает по SSL.
    Сервер 2 и 3 настроены для балансировки портала по SSL. (netscaller)
    Пользователи могут аутентифицироваться на SSP, если обращаются по имени сервера. (https://servername/)
    Пользователи не могут аутентифицироваться на SSP, если обращаются по общему имени (https://sd). Появляется окно аутентификации, после ввода учетных данных в которого, сервер сообщает о том, что аутентификации не удается.
    Настройки аутентификации в IIS не изменялись. С SPN вроде все в порядке.

  7. We porvide you quality item which you buy on a single click in Auckland New Zealand. Treasurebox nz is one of the most rising store which provide their customers all the items at low rates.

  8. Home Mart is a site about Home Improvement, Furniture, Home Appliances and many more.
    Check out the best
    bedroom furniture nz
    entertainment unit

  9. Such A nice post... thanks For Sharing !!Great information for new guy like Hanuman Chalisa Lyrics

  10. Very good ideas! Amazing concept and gain more updates to your blog. Thank you. Sports & Fitness

  11. I was looking for VPS for my web-service and this site helped me.