User authentication methods for SquaredUp DS for SCOM

A key decision when deploying SquaredUp DS is how users will authenticate (log on). There are two authentication methods you can use for SquaredUp DS:

A single SquaredUp DS instance (website) can be configured for either Forms authentication or Windows authentication, but not both.

For information about using an application proxy (Web Application Proxy and AD FS or Azure Application Proxy) for example to allow multi-factor authentication (MFA), see How to configure SquaredUp to use an application proxy

To access SquaredUp DS, a user must authenticate with their Windows credentials. These credentials are used to access SCOM and SCOM's role-based access control (RBAC) is used to determine which - if any - resources the user can access. For more information see User Management

Tip: If you want to make dashboards available to users within your organization without requiring authentication, you can use Open Access dashboards. Open Access dashboards can be shared across the organization and viewed without users needing to authenticate, or to have any SCOM permissions. To learn more about Open Access see Sharing Dashboards with anyone - Open Access.

How to enable Windows authentication

There are three ways to enable Windows authentication depending on your environment. Jump to:

How to enable Windows authentication when SquaredUp DS is installed on a SCOM Management Server

Choose this option if SquaredUp DS is deployed on a SCOM management server.

If you are planning a new deployment of SquaredUp DS and require Windows authentication, we recommend you install SquaredUp DS on a SCOM management server. This is the easiest setup to configure.

  1. Make sure SquaredUp DS has been installed and the initial configuration wizard (licensing etc) has been completed.
  2. Enable Windows authentication using the SquaredUp DS configuration script.
  3. Your browser, and other users' browsers, must be configured to use automatic logon for all your SquaredUp DS URLs. The steps below describe how to configure the browser on each client (not on the server), you can test this in your own client's browser, then your organization should apply the settings to all users' browsers, perhaps using Group Policy.

  4. Verify the configuration.

Please contact SquaredUp Support

How to enable Windows authentication when SquaredUp DS is installed on a single dedicated server

Choose this option if SquaredUp DS is deployed on a dedicated server (i.e. not on a SCOM management server), and is not load balanced.

Due to the dependencies on Active Directory and Kerberos constrained delegation, Windows authentication can be difficult to configure and troubleshoot. Please follow these instructions carefully to ensure Windows authentication works without any issues in your environment. If you have any questions or need assistance, please contact SquaredUp Support

SquaredUp accesses SCOM using the end user's credentials. When Windows authentication is being used and SquaredUp DS is deployed on a dedicated server, the end user first authenticates with the SquaredUp server, and then the SquaredUp server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time, as the SquaredUp server impersonates the end user, is known as a 'double-hop' (the Windows credentials for the Client PC are sent to the SquaredUp server (hop 1), and then to the SCOM server (hop 2)) and this requires Kerberos delegation to be enabled.

Kerberos delegation involves complex configuration. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly. For more information on Kerberos and how it operates, see here.

  1. Make sure SquaredUp DS has been installed and the initial configuration wizard (licensing etc) has been completed.
  2. If you want to use a domain service account for SquaredUp DS, then it must be configured before the following steps. See How to check and modify the application pool identity.
  3. Enable Windows authentication using the SquaredUp DS configuration script.
  4. Enable 'useAppPoolCredentials' and 'useKernelMode' in IIS.
    In addition to the settings configured by the SquaredUp DS configuration script, we need to manually configure IIS to perform authentication using 'kernel mode' and to use the application pool identity when doing so.
  5. Configure Kerberos constrained delegation.
    You need to allow the SquaredUp DS application to use the end user's identity when connecting to SCOM. This sending of credentials (from Client PC to SquaredUp server to SCOM server) is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.
    The following steps require changes to the Active Directory account used by the SquaredUp DS application pool. This is referred to as the SquaredUpAccount in the steps below. It is important to know which account is used by SquaredUp DS before proceeding. See How to check and modify the application pool identity.
    If you have configured a custom application pool identity (i.e. a domain service account) then you must add the necessary SPNs.
    The next step is to enable the SquaredUp DS application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.
  6. Restart the SquaredUp server.
    We strongly recommend restarting the SquaredUp server to clear any cached Active Directory account information.
  7. Your browser, and other users' browsers, must be configured to use automatic logon for all your SquaredUp DS URLs. The steps below describe how to configure the browser on each client (not on the server), you can test this in your own client's browser, then your organization should apply the settings to all users' browsers, perhaps using Group Policy.

  8. Verify the configuration.

Please contact SquaredUp Support

How to enable Windows authentication when SquaredUp DS is installed on multiple load balanced servers

Choose this option if SquaredUp DS is deployed on two or more load balanced, dedicated servers and not installed on SCOM management servers.

The diagram above shows two SquaredUp servers, a Primary and a Secondary server, with a load balancer in front of them.

SquaredUp DS accesses SCOM using the end user's credentials. When Windows authentication is being used and SquaredUp DS is deployed on a dedicated server, the end user first authenticates with the SquaredUp server, and then the SquaredUp server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time is known as a 'double-hop' and requires Kerberos delegation to be enabled.

Kerberos delegation is notoriously difficult to configure. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly. For more information on Kerberos and how it operates, see here.

  1. Make sure SquaredUp DS has been installed and the initial configuration wizard (licensing etc) has been completed.
  2. Make sure High availability (HA) has been configured (see Enabling High Availability).
  3. Make sure the load balancer has been configured.
  4. Configure SquaredUp DS to use a domain service account.

    When load balancing between SquaredUp servers, the SquaredUp DS application pool identity must be set to a domain service account, rather than the default of Network Service. Follow the article How to check and modify the application pool identity to change the application pool identity from Network Service to a domain service account on each server.

  5. Enable Windows authentication using the SquaredUp DS configuration script.
  6. Configure Kerberos constrained delegation.
    You need to allow the SquaredUp DS application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.
    The following steps require changes to the Active Directory account used by the SquaredUp DS application pool. This is referred to as the SquaredUpAccount in the steps below. It is important to know which account is used by SquaredUp DS before proceeding. See How to check and modify the application pool identity.
    You need to create SPNs for the individual servers and for the load balanced address, for example lb-ha.
    The next step is to enable the SquaredUp DS application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.
  7. Restart the SquaredUp servers.
    We strongly recommend restarting the SquaredUp servers to clear any cached account information.
  8. Your browser, and other users' browsers, must be configured to use automatic logon for all your SquaredUp DS URLs. The steps below describe how to configure the browser on each client (not on the server), you can test this in your own client's browser, then your organization should apply the settings to all users' browsers, perhaps using Group Policy.

  9. Verify the configuration.

Please contact SquaredUp Support

How to enable Forms authentication

Forms authentication is enabled by default when SquaredUp DS is installed. If you have previously configured Windows authentication and would like to switch back to Forms authentication, follow the instructions below.

Modifying the configuration causes the web application to restart and all users will be logged off.

  1. Open a command prompt (cmd.exe) on the SquaredUp web server.
  2. Navigate to the instance for which you wish to change authentication.
    For example:
    cd C:\inetpub\wwwroot\SquaredUp

  3. Then run the SquaredUp command followed by forms:
    squaredup forms

  4. If you have previously configured SPNs or Kerberos constrained delegation settings in Active Directory, these can be reverted after switching to Forms authentication.

Was this article helpful?


Have more questions or facing an issue?