Below is a step by step on taking a Windows 2008 Management Server, and adding the Web Console… with the requirement of using Windows authentication. The easiest method is to use Forms Based auth for Web Console servers…. but using Windows Auth is possible if you can leverage constrained delegation (more on this later).
I will start by running setup, and checking the prerequisites for the web console:
We need to add the Web Server Role, and make sure we include all required sub roles. This is documented here:
Once IIS is installed correctly – now run the pre-requisite check again:
All good. At this point – we can run SetupOM.exe, and add the web console component.
We will choose Windows Authentication for this exercise.
Setup should complete. If you get an error here…. you might need to open a case with Microsoft… as some hotfixes can possibly block additional OpsMgr roles from being added, such as the web console. I have 951380, 954049, and 956240 installed. I was not able to add the web console…. due to the following error:
Error 1334.The file File196.2FD07918_9082_437D_99BC_FD43602A4625 cannot be installed because the file cannot be found in cabinet file Data.Cab. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.
MSI (s) (00:84) [12:38:44:863]: Product: System Center Operations Manager 2007 — Error 1334.The file File196.2FD07918_9082_437D_99BC_FD43602A4625 cannot be installed because the file cannot be found in cabinet file Data.Cab. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.
If you are affected by this…. (common also when hotfixes wont apply) we need to do a little work in the registry…. open up HKCR\Installer\Products\DF6E5EFF035E66C49971553D96AA0E4D\Patches
Back this key up by exporting it first…. once backed up… delete the REG_SZ GUIDS, and then open the "Patches" REG_MULTI_SZ key, and delete all guids from there. When done – it should look like so:
****Note: If you are running a OpsMgr management group that was originally installed as RTM, then upgraded to SP1 – you might need to leave the following guids in place in the registry when attempting to use this workaround:
727B3A3ADCF2D1945BFF1FD34105570A (this references MOM2007QFEPreSP1.msp)
8CABA70B215243145A51419A9073262F (this references MOM2007SP1.msp)
OR – I have seen these on x64:
727B3A3ADCF2D1945BFF1FD34105570A is MOM2007QFEPreSP1.msp
8817A55B3D84652468BCF9B1E587B78F is MOM2007SP1.msp
Now – rerun setup….
Ok…. When setup is complete…. one thing we need to discuss. KB 954049 is required for Server 2008 support. If you had already applied this hotfix, you must now re-apply it in order to patch the web console files in the hotfix. The simplest way is to find the MSP file for your OS version in the C:\Program Files\System Center 2007 Hotfix Utility\ folders.
And, once installed… make sure you re-import your original reg backup we took. This workaround will typically get you through a web console add, or a hotfix install.
Once that is covered – lets test the console, from the management server itself. Launch the web console from the shortcut on the start menu.
What you will likely see… is one or more security prompts asking for your username and password…. the console it trying to use Windows Auth. Once this fails, you will be presented with a forms based authentication screen…. or an error.
If you check the OpsMgr event log – you will likely see these errors:
Log Name: Operations Manager
Source: Web Console
Date: 9/24/2008 1:06:11 PM
Event ID: 10
Task Category: None
Error: Data Abstraction Layer: Exception while connecting to the server ‘omrms.opsmgr.net’
Thread was being aborted.
This means we need to set up Kerberos constrained delegation, so that Windows Auth can work.
1. Check the SPN of the domain account used for the SDK service account. For instance… my domain is OPSMGR, my SDK Account is OPSMGR\momsdk07, and my RMS is OMRMS.opsmgr.net. I will begin… by inspecting the SPN’s attached to my SDK account:
setspn /L OPSMGR\momsdk07
Registered ServicePrincipalNames for CN=momsdk07,OU=SCOM,OU=Accounts,OU=US,DC=opsmgr,DC=net:
This is good. If for any reason these are missing – we need to add the MSOMSdkSvc class SPN of the RMS computer, to the domain account used for the SDK. So in my case, this would look like:
setspn /a MSOMSdkSvc/OMRMS OPSMGR\momsdk07
setspn /a MSOMSdkSvc/OMRMSopsmgr.net OPSMGR\momsdk07
2. Verify Domain Functional Level: If you are configuring constrained delegation, you need to verify that the domain controller is operating at Windows Server 2003 functional level. (Note: This is required for constrained delegation.) Launch "Active Directory Domains and Trusts" with domain admin credentials. In the console tree, right-click the domain for which you want to verify the domain level select Properties in the context menu.
3. Verify user account options.
Open AD Users and Computers, and find the SDK account. Examine the properties, account tab, and ensure that "Account is sensitive and cannot be delegated" is NOT selected.
4. Configure constrained delegation:
In ADUC, find the computer account that the web console is installed on.
Right click it, choose properties, and select the Delegation tab.
If in a Windows Server 2003 domain, on the Delegation tab, click Trust this computer for delegation to specified services only.
And choose the Use Kerberos only radio button.
Click the Add button
In the Add Services dialogue click the Users and Computers button
In the Select Users or Computers dialogue specify the domain account that the SDK service is running under and click OK.
In the Add Services dialogue select the service type MSOMSdkSvc and click OK.
Click OK to close the Properties Dialogue. When complete – it will appear as:
Once this is complete – Constraint Delegation is set up. You might need to wait for AD replication, and might need to bounce the SDK service on the RMS for this to start working.
These constrained delegation steps work perfectly for Windows Server 2003 – however you might not be successful in Server 2008. For my Server 2008 Web Console, I had to change the Delegation option for the Web Console server, to "Trust this Computer for delegation to any service (Kerberos only)"….