Installing the Web Console on a 2008 Management Server – using Windows Authentication


Below is a step by step on taking a Windows 2008 Management Server, and adding the Web Console…  with the requirement of using Windows authentication.  The easiest method is to use Forms Based auth for Web Console servers…. but using Windows Auth is possible if you can leverage constrained delegation (more on this later).

 

I will start by running setup, and checking the prerequisites for the web console:

 

image

 

We need to add the Web Server Role, and make sure we include all required sub roles.  This is documented here:

http://blogs.technet.com/kevinholman/archive/2008/09/26/how-to-install-iis-on-server-2008-to-support-opsmgr-web-console-and-reporting.aspx

 

Once IIS is installed correctly – now run the pre-requisite check again:

image

 

All good.  At this point – we can run SetupOM.exe, and add the web console component.

We will choose Windows Authentication for this exercise.

 

Setup should complete.  If you get an error here…. you might need to open a case with Microsoft… as some hotfixes can possibly block additional OpsMgr roles from being added, such as the web console.  I have 951380, 954049, and 956240 installed.  I was not able to add the web console…. due to the following error:

 

Error 1334.The file File196.2FD07918_9082_437D_99BC_FD43602A4625 cannot be installed because the file cannot be found in cabinet file Data.Cab. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.
MSI (s) (00:84) [12:38:44:863]: Product: System Center Operations Manager 2007 — Error 1334.The file File196.2FD07918_9082_437D_99BC_FD43602A4625 cannot be installed because the file cannot be found in cabinet file Data.Cab. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

image

 

If you are affected by this…. (common also when hotfixes wont apply) we need to do a little work in the registry….   open up HKCR\Installer\Products\DF6E5EFF035E66C49971553D96AA0E4D\Patches

image

 

Back this key up by exporting it first….  once backed up… delete the REG_SZ GUIDS, and then open the "Patches" REG_MULTI_SZ key, and delete all guids from there.  When done – it should look like so:

 

image

 

****Note:  If you are running a OpsMgr management group that was originally installed as RTM, then upgraded to SP1 – you might need to leave the following guids in place in the registry when attempting to use this workaround:

727B3A3ADCF2D1945BFF1FD34105570A    (this references MOM2007QFEPreSP1.msp)
8CABA70B215243145A51419A9073262F    (this references MOM2007SP1.msp)

OR – I have seen these on x64:

727B3A3ADCF2D1945BFF1FD34105570A is MOM2007QFEPreSP1.msp
8817A55B3D84652468BCF9B1E587B78F is MOM2007SP1.msp

 

 

 

Now – rerun setup….

Ok….  When setup is complete…. one thing we need to discuss.  KB 954049 is required for Server 2008 support.  If you had already applied this hotfix, you must now re-apply it in order to patch the web console files in the hotfix.  The simplest way is to find the MSP file for your OS version in the C:\Program Files\System Center 2007 Hotfix Utility\ folders.

And, once installed… make sure you re-import your original reg backup we took.  This workaround will typically get you through a web console add, or a hotfix install.

 

Once that is covered – lets test the console, from the management server itself.  Launch the web console from the shortcut on the start menu.

 

image

 

What you will likely see… is one or more security prompts asking for your username and password…. the console it trying to use Windows Auth.  Once this fails, you will be presented with a forms based authentication screen…. or an error.

 

If you check the OpsMgr event log – you will likely see these errors:

Log Name:      Operations Manager
Source:        Web Console
Date:          9/24/2008 1:06:11 PM
Event ID:      10
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      OMMS3.opsmgr.net
Description:
Instance: 5ogbhfrszo2xqx45iw2wid45.

Error: Data Abstraction Layer: Exception while connecting to the server ‘omrms.opsmgr.net’
Thread was being aborted.

This means we need to set up Kerberos constrained delegation, so that Windows Auth can work.

 

1.  Check the SPN of the domain account used for the SDK service account.  For instance… my domain is OPSMGR, my SDK Account is OPSMGR\momsdk07, and my RMS is OMRMS.opsmgr.net.  I will begin… by inspecting the SPN’s attached to my SDK account:

setspn /L OPSMGR\momsdk07

Results:

Registered ServicePrincipalNames for CN=momsdk07,OU=SCOM,OU=Accounts,OU=US,DC=opsmgr,DC=net:
        MSOMSdkSvc/OMRMS
        MSOMSdkSvc/omrms.opsmgr.net

This is good.  If for any reason these are missing – we need to add the MSOMSdkSvc class SPN of the RMS computer, to the domain account used for the SDK.  So in my case, this would look like:

setspn /a MSOMSdkSvc/OMRMS OPSMGR\momsdk07

setspn /a MSOMSdkSvc/OMRMSopsmgr.net OPSMGR\momsdk07

 

2.  Verify Domain Functional Level: If you are configuring constrained delegation, you need to verify that the domain controller is operating at Windows Server 2003 functional level. (Note: This is required for constrained delegation.)  Launch "Active Directory Domains and Trusts" with domain admin credentials.  In the console tree, right-click the domain for which you want to verify the domain level select Properties in the context menu.

 

image

 

 

3.  Verify user account options. 

Open AD Users and Computers, and find the SDK account.  Examine the properties, account tab, and ensure that "Account is sensitive and cannot be delegated" is NOT selected.

 

image

 

 

4.  Configure constrained delegation:

In ADUC, find the computer account that the web console is installed on. 

Right click it, choose properties, and select the Delegation tab.

If in a Windows Server 2003 domain, on the Delegation tab, click Trust this computer for delegation to specified services only.

And choose the Use Kerberos only radio button.

image

Click the Add button

In the Add Services dialogue click the Users and Computers button

In the Select Users or Computers dialogue specify the domain account that the SDK service is running under and click OK.

image

 

In the Add Services dialogue select the service type MSOMSdkSvc and click OK.

image

 

Click OK to close the Properties Dialogue.  When complete – it will appear as:

 

image

 

Once this is complete – Constraint Delegation is set up.  You might need to wait for AD replication, and might need to bounce the SDK service on the RMS for this to start working.

These constrained delegation steps work perfectly for Windows Server 2003 – however you might not be successful in Server 2008.  For my Server 2008 Web Console, I had to change the Delegation option for the Web Console server, to "Trust this Computer for delegation to any service (Kerberos only)"….

image

Comments (23)

  1. Kevin Holman says:

    Murad – I dont recommend installing the web console in a RMS cluster – I am pretty sure that is an untested/unsupported configuration.  It might be able to be done… but IIS can use considerable resources on a RMS.

    I have moved to recommending installing the web console as forms based auth for NON-RMS installs – because of the trouble getting this to work can be.

    Help me understand – what is the big deal with having Windows auth for customers?  Is having to type in a username and password in a form THAT big of a deal?

  2. Kevin Holman says:

    Tim – a couple things – make sure those same users can launch a regular console… ensure they have access.

    Also – this was an old IIS restriction – make sure the users have log on locally rights to the Web Console server….

  3. Anonymous says:

    I have been trying to install the sp1 hotfix- KB971541, which bombed until i removed the web console(as opposed to contacting PSS as you mentioned). now it won’t reinstall -even after removing the reg keys you mentioned. there is no pop up error message, the installer just starts rolling back, then says the installation was interrupted. what is there to try at this stage? thanks!

  4. Murad Akram says:

    kevin, I've tried everything listed/documented/recommended in this post, but I am unable to get my Ops Web Console working on a non-RMS server using integrated windown auth. So at this point I like to remove the Web Console from my MS (Management Server) and install it on my RMS cluster (2 node). Have you installed Web Console on a cluster, is it even supported?, can it be done? would I just use a generic service option to cluster IIS 7.0?

    Please Advice

    Murad

  5. Murad Akram says:

    Oh by the way I am using SCOM 2007 R2 with Cum1 patch and all my servers are running Windows Server 2008 edition.

  6. Kevin Holman says:

    If your web console is installed on the RMS – then this should just work… I dont know why it wouldnt unless there is an underlying problem with your IIS install.

    Is this on Server 2008?  If so – did you fully apply 954049 hotfix – and make sure the web console files got updated?

  7. Kevin Holman says:

    Try removing the web console – and reinstalling it…. I have seen this happen with the web console and it appears to be pretty random.

    See this article from Marnix:

    http://thoughtsonopsmgr.blogspot.com/2009/08/opsmgr-r2-webconsole-wont-start-after.html

  8. Kevin Holman says:

    You comments, issue, and link – have nothing to do with this blog post?

    You had an issue getting the web console to work on your RMS…. this is about how to get it to work when NOT on the RMS.

    Or am I confused?

  9. Murad Akram says:

    Kevin,

    I am pretty sure it's not going to be a big deal if I ask my internal customers/users to login to the web console every tme they need to acces the alert view or Dashboard view etc. It was my personal preference to make things easier for the user community. The only issue I can see with enabling forms based auth is that we have/use multiple domain user IDs (one to access our PCs and the other "SA" to do windows server administration realted tasks) so they might get confused (initially) as to what ID they need to use to access the console.

    Also, it is heard for me to believe that I am being forced to implement form based auth solution. What if the Ops Web Console is very important to us and we like to seperate it from the RMS and MS server and like to host it in a web farm with hardware based load balancing (i.e.f5) I guess we will have the same issues there?

    Murad

  10. Tim McFadden says:

    I have the web console setup on a server 2008 server.  The web console works in I long into the server with the scom administrator account which is also an administrator on the sever, but if I use any other account I get a

    "You do not have permission to view this directory or page."

  11. Biense says:

    We have setup a single server configuration and cannot open the web console i tried to configure the settings but there is no SDK service account the account runs under local system!

  12. Mr Kevin Holman, you are indeed a SCOM 2007 legend. Many thanks for your expertise that is on display here for all to see. Your detailed walkthrough resolved my Web Console problems on my Windows 2008 host.

    Cheers!

  13. Sebastien Paquet says:

    Thanks a lot , that fixed my issues on win2k8 with a web console NOT installed on the rms thanks !!

  14. khongthat says:

    quote: "Also – this was an old IIS restriction – make sure the users have log on locally rights to the Web Console server…."

    This has never been true with IIS websites (again security is only as good as its administrators :)) only if you’re talking about FTP you are right.

    As for this walkthrough, it solved my problems on windows2008 (settings delegation to any service did solve it, yet another win2k8 bug?).

    Just one remark: ASP is not needed for the webconsole, but that’s technically another document 🙂

  15. Parker Jardine says:

    I have followed your steps, but I run into a problem when I reintall the console. It keeps asking me to insert disk 1.  Even though I am using the DVD to install the web console, and there is only one disk. So I am confused.  And I cannot get the web console to install.  Any ideas?

  16. Henry says:

    Kevin,

     Interesting situation, I got the web console working per your instructions in both our QA and PROD environment where it was not installed on the RMS using WA.

    I then upgraded both machines to the R2 Version, no problems with the web console. I then Uninstall R2 from my QA box, reinstalled a fresh copy of R2, without going the upgrade path.

    Now the Web Console won’t work anymore with WA. I have a feeling something in that Patch didn’t make it into the R2 Version.

  17. Allen Kong says:

    Thanks.  Although i kinda knew this as I look after Sharepoint 2007!

    An interesting aside is that this process also makes LiveMaps from SAVision use SSO too!  

    Even though their website and install docs say this cannot be done!

    Smart.

  18. John Taylor says:

    We have two seperate forests that have a trust in between … Will SSO (Windows Authentication ) work between the two forests ? When I am on a server that is not in the domain .. I am challenged .. and the web console works if I use a credential that is in the same domain as the web console … If I use a credential that is in a different forest then I fail even though a trust exists ..

  19. Ron Hagerman says:

    Hi Kevin,

     I followed your instructions but the problem I had with my Windows 2008 R2 web server is that I am forbidden to allow any service to delegate for security reasons.

     I thought for sure I was hosed and was preparing to open a support case when I thought about the identity of my IIS server. I have the SPN set up and delegation configured per your Windows 2003 instructions and then I set the application pool identity to LocalSystem. This resolved my problem. Now I can comply with company security guidelines and still offer the SCOM web console to my end users.

    Thanks for the great post!

    Ron Hagerman

    The Boeing Company

  20. Robert Posey says:

    You Rock. That fixed it! Thank you!

  21. jimmy says:

    Kevin,

    I just moved my web console from my RMS (Windows 2008) to a secondary management server (Windows 2008 R2) following this guide and everything worked perfect. Thanks alot. This blog has helped me out numerous times.

    You Da Man!

    -Jimmy

  22. Joe Thompson says:

    Kevin,

    I had a DEV environment that had no issues running the Webconsole, but my PROD environment would work off and on. Finally worked with Microsoft IIS Support and got it working using the DelegConfig utility. You basically copy the Kerberos folder to your Webconsole IIS server wwwroot, make it an Application, then browse to the Kerberos application using http://<servername>/kerberos. Do not make the mistake of browsing to it using the IIS Manager, as it uses Localhost and will not give you the information you need. After than, you can review the report and any kerberos and delegation issues. You can run through its wizard and setup the triple hop you need to make it to your RMS and then DBS. Once done, it will give you the proper SETSPN commands you need to make it all work.

    In my instance, I had a duplicate SPN for the RMS service account that was preventing it from working consistantly. In our environment, only Domain admins have the permissions to create SPN's so when I did the OPSMAN 2007 setup, the SPN's were not automatically created…

    Hope this helps someone else!

    Good Luck!

    Joe Thompson