User authentication methods for SquaredUp DS for SCOM

A key decision when deploying SquaredUp DS is how users will authenticate (log on). There are two authentication methods you can use for SquaredUp DS:

Forms authentication (default)

By default, SquaredUp DS is installed with Forms authentication enabled. Forms authentication requires the user to enter his or her username and password to log on.

To use Forms authentication you do not need to make any changes after installation. If you have previously configured Windows authentication and want to switch back to Forms authentication see How to enable Forms authentication.

Windows authentication (single sign-on)

Windows authentication is also known as Integrated Windows Authentication (IWA), Single Sign-On (SSO) and Pass Through Authentication.

With Windows authentication enabled, the browser automatically authenticates to SquaredUp DS using the user's Windows credentials. The user does not need to explicitly log on to the application.

In some scenarios, configuring Windows authentication can be more complex. If you are planning a new deployment of SquaredUp DS and require Windows authentication, we recommend you install SquaredUp DS on a SCOM management server.

A single SquaredUp DS instance (website) can be configured for either Forms authentication or Windows authentication, but not both.

For information about using an application proxy (Web Application Proxy and AD FS or Azure Application Proxy) for example to allow multi-factor authentication (MFA), see How to configure SquaredUp DS to use an application proxy

To access SquaredUp DS, a user must authenticate with their Windows credentials. These credentials are used to access SCOM and SCOM's role-based access control (RBAC) is used to determine which - if any - resources the user can access. For more information see User Management

Tip: If you want to make dashboards available to users within your organization without requiring authentication, you can use Open Access dashboards. Open Access dashboards can be shared across the organization and viewed without users needing to authenticate, or to have any SCOM permissions. To learn more about Open Access see Sharing Dashboards with anyone - Open Access.

How to enable Windows authentication

There are three ways to enable Windows authentication depending on your environment. Jump to:

• How to enable Windows authentication when SquaredUp DS is installed on a SCOM Management Server
• How to enable Windows authentication when SquaredUp DS is installed on a single dedicated server
• How to enable Windows authentication when SquaredUp DS is installed on multiple load balanced servers

How to enable Windows authentication when SquaredUp DS is installed on a SCOM Management Server

Choose this option if SquaredUp DS is deployed on a SCOM management server.

If you are planning a new deployment of SquaredUp DS and require Windows authentication, we recommend you install SquaredUp DS on a SCOM management server. This is the easiest setup to configure.

1. Make sure SquaredUp DS has been installed and the initial configuration wizard (licensing etc) has been completed.

2. Enable Windows authentication using the SquaredUp DS configuration script.

   How to enable Windows authentication using the SquaredUp DS configuration script

   Modifying the configuration causes the web application to restart and all users will be logged off.

   1. On the SquaredUp server click on the Start button and type:command prompt

   2. Navigate to the instance for which you wish to change authentication.

      For example:

      cd C:\inetpub\wwwroot\SquaredUp

      Where to find the SquaredUp folder

      Name of the SquaredUp folder

      The default name of the SquaredUp folder is SquaredUp for v6 and above.

      For v5 it is SquaredUpv5, and for v4 SquaredUpv4.

      Location of the SquaredUp folder

      A custom location may have been chosen during the installation.

      The default location for the SquaredUp folder is C:\inetpub\wwwroot\SquaredUp

      For v5 it is C:\inetpub\wwwroot\SquaredUpv5 and for v4 C:\inetpub\wwwroot\SquaredUpv4.

   3. Run the SquaredUp command followed by windows:

      squaredup windows

      What is the SquaredUp command for older versions?

      The SquaredUp command for v6 and above is SquaredUp. This is followed by an operator for the task you are carrying out, for example SquaredUp forms, SquaredUp windows, or SquaredUp ha.

      The SquaredUp command for v5 it is SquaredUp5, and for v4 SquaredUp4.

3. Your browser, and other users' browsers, must be configured to use automatic logon for all your SquaredUp DS URLs. The steps below describe how to configure the browser on each client (not on the server), you can test this in your own client's browser, then your organization should apply the settings to all users' browsers, perhaps using Group Policy.

   Internet Explorer

   Add the fully qualified domain name (FQDN) of all SquaredUp servers e.g. webserver1.domain.local (and load balanced address if using) to the list of local intranet sites, and select automatic logon, as described below. These two settings prevent the browser logon box from popping up, and allow the Windows authentication logon to be used for SquaredUp DS.

   Please note that your domain settings may differ from the Internet Explorer defaults, so we recommend that you review the settings below.

   1. Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced

   2. Enter the fully qualified domain name (FQDN) for your SquaredUp server(s), and click Add, then Close, then OK.

      When using multiple load balanced servers you must add the FQDN of each server, and also the load balanced address.

      

   3. Click on Local intranet and then Custom level

      

   4. Scroll to the bottom of the settings and verify that either of the following settings are enabled:

      Automatic logon with current user name and password

      Automatic logon only in Intranet zone

      

   5. Click OK, then Yes, then OK.

   6. Add the sites to the local intranet sites on ALL clients. (For example using Group Policy, see Internet Explorer prompting for credentials - Windows authentication (Clint Boessen's blog)).

   Chrome

   By default, Chrome uses the Internet Explorer local intranet sites configuration. Follow the steps for Internet Explorer.

   In addition, Chrome requires that Kerberos constrained delegation is explicitly configured.

   For more details, see The Chromium Projects - HTTP authentication

   Firefox

   Firefox requires explicit configuration to enable Windows authentication.

   1. Type about:config in the location bar.
   2. Type network.negotiate-auth.trusted-uris in the search box.

   3. Double-click on the setting returned and type the SquaredUp server name and then the fully qualified domain name (FQDN) separated by a comma and a space. Do not include the http:// or https://

      

      When using multiple load balanced servers you should add the FQDN of each server, and also the load balanced address.

   4. Click OK.
   5. Repeat these steps for the network.negotiate-auth.delegation-uris setting.

4. Verify the configuration.

   How to verify the configuration

   Check that SquaredUp DS is now accessible:

   1. Log on to a client machine as a SCOM user, using a different user account to that with which you are logged on to the SquaredUp Server. (Note that it must be a different account, otherwise Windows authentication may reuse your server logon session and it may appear to succeed even if it is misconfigured).

   2. Browse to SquaredUp DS. Check the servers short address and the fully qualified domain name (FQDN):

      http://SquaredUpServer/SquaredUp and http://SquaredUpServer.domain.tld/SquaredUp

      If you are using multiple servers, check the short and FQDN names for all servers, and also the load balanced address.

   3. If SquaredUp DS opens, check that graphs are shown. If they are not, check the Data Warehouse connection (see Troubleshooting the Data Warehouse connection).

Please contact SquaredUp Support if you experience any problems and reply to the automatic response with the output of the SquaredUp DS Diagnostics (see Collecting diagnostic information) and, if possible, a screenshot of the problem.

How to enable Windows authentication when SquaredUp DS is installed on a single dedicated server

Choose this option if SquaredUp DS is deployed on a dedicated server (i.e. not on a SCOM management server), and is not load balanced.

Due to the dependencies on Active Directory and Kerberos constrained delegation, Windows authentication can be difficult to configure and troubleshoot. Please follow these instructions carefully to ensure Windows authentication works without any issues in your environment. If you have any questions or need assistance, please contact SquaredUp Support.

SquaredUp accesses SCOM using the end user's credentials. When Windows authentication is being used and SquaredUp DS is deployed on a dedicated server, the end user first authenticates with the SquaredUp server, and then the SquaredUp server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time, as the SquaredUp server impersonates the end user, is known as a 'double-hop' (the Windows credentials for the Client PC are sent to the SquaredUp server (hop 1), and then to the SCOM server (hop 2)) and this requires Kerberos delegation to be enabled.

Kerberos delegation involves complex configuration. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly. For more information on Kerberos and how it operates, see here.

1. Make sure SquaredUp DS has been installed and the initial configuration wizard (licensing etc) has been completed.

2. If you want to use a domain service account for SquaredUp DS, then it must be configured before the following steps. See How to check and modify the application pool identity.

3. Enable Windows authentication using the SquaredUp DS configuration script.

   How to enable Windows authentication using the SquaredUp DS configuration script

   Modifying the configuration causes the web application to restart and all users will be logged off.

   1. On the SquaredUp server click on the Start button and type:command prompt

   2. Navigate to the instance for which you wish to change authentication.

      For example:

      cd C:\inetpub\wwwroot\SquaredUp

      Where to find the SquaredUp folder

      Name of the SquaredUp folder

      The default name of the SquaredUp folder is SquaredUp for v6 and above.

      For v5 it is SquaredUpv5, and for v4 SquaredUpv4.

      Location of the SquaredUp folder

      A custom location may have been chosen during the installation.

      The default location for the SquaredUp folder is C:\inetpub\wwwroot\SquaredUp

      For v5 it is C:\inetpub\wwwroot\SquaredUpv5 and for v4 C:\inetpub\wwwroot\SquaredUpv4.

   3. Run the SquaredUp command followed by windows:

      squaredup windows

      What is the SquaredUp command for older versions?

      The SquaredUp command for v6 and above is SquaredUp. This is followed by an operator for the task you are carrying out, for example SquaredUp forms, SquaredUp windows, or SquaredUp ha.

      The SquaredUp command for v5 it is SquaredUp5, and for v4 SquaredUp4.

4. Enable 'useAppPoolCredentials' and 'useKernelMode' in IIS.
   In addition to the settings configured by the SquaredUp DS configuration script, we need to manually configure IIS to perform authentication using 'kernel mode' and to use the application pool identity when doing so.

   How to enable 'useAppPoolCredentials' and 'useKernelMode' in IIS.

   1. In IIS click on the SquaredUp[Version Number application.
   2. Double-click on Configuration Editor in the main panel.

   3. Click the Section drop down list at the top, and navigate to the following:

      system.webServer/security/authentication/windowsAuthentication

   4. Set useAppPoolCredentials to True and ensure useKernelMode is set to True

   5. Click Apply.

      

5. Configure Kerberos constrained delegation.
   You need to allow the SquaredUp DS application to use the end user's identity when connecting to SCOM. This sending of credentials (from Client PC to SquaredUp server to SCOM server) is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.

   The following steps require changes to the Active Directory account used by the SquaredUp DS application pool. This is referred to as the SquaredUpAccount in the steps below. It is important to know which account is used by SquaredUp DS before proceeding. See How to check and modify the application pool identity.

   If you have configured a custom application pool identity (i.e. a domain service account) then you must add the necessary SPNs.

   How to verify and configure Service Principal Names (SPNs)

   Think of SPNs as pseudo-accounts that represent a service endpoint, such as the SquaredUp DS website. They allow Kerberos to authenticate between a real end user and a service. SPNs must be created for each address the user connects to, and must be associated with the actual account used by the service, in our case this is the SquaredUp DS application pool identity. For more information on SPNs and how they work see here.

   We can create the required SPNs by running commands from a command prompt on the domain controller, the domain account used must have SCOM admin permissions.

   The HTTP service class that we use here for SPNs, differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class.

   1. On a domain controller, click on the Start button and type:

      command prompt

   2. Right-click on the Command Prompt icon and click Run as administrator.

   3. Type the following to set the SPN for the server fully qualified domain name (FQDN):

      SETSPN -S HTTP/webserver1.domain.tld domain\SquaredUpAccount

      webserver1 should be replaced by the name of the server where SquaredUp DS is installed,domain by your domain name, tld is the top level domain, and SquaredUpAccount should be replaced by the SquaredUp DS application pool identity.

      If the SquaredUp DS application pool is configured to use NetworkService, then the SquaredUpAccount is the computer account for the web server. For example, if SquaredUp DS is running on server webserver1.domain.local then use domain\webserver1.

      If you have configured SquaredUp DS to use a domain service account then this account should be used. For example, if your domain service account is domain\svc-squaredup then use domain\svc-squaredup.

      If you are unsure which account SquaredUp DS is configured to use, check the SquaredUp DS application pool configuration (see How to check and modify the application pool identity).

   4. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs.

   5. Next type the following to set the SPN for the server short address:

      setspn -S HTTP/webserver1 domain\SquaredUpAccount

   6. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Troubleshooting Duplicate SPNs.

   If you have another address that you use to browse to SquaredUp DS, for example in your bindings or in DNS Manager, you should create two further SPNs, one for the shorter address and another for the fully qualified domain name (FQDN).

   How to create further SPNs

   If you have another address you use to access SquaredUp DS, for example a DNS alias or alternative binding, you should create two additional SPNs for this address, the shorter address and the fully qualified domain name (FQDN).

   1. On a domain controller click on the Start button type:

      Command Prompt

   2. Right-click on the Command Prompt icon and click Run as administrator

   3. Type:

      SETSPN -S HTTP/Hostname domain\SquaredUpAccount

      Where Hostname is the address you specified in DNS Manager,domain is your domain, and SquaredUpAccount is the domain service account that you set as the SquaredUp DS application pool identity.

   4. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Duplicate SPN found - Troubleshooting Duplicate SPNs

   5. Once complete, type the following for the fully qualified domain name (FQDN):

      SETSPN -S HTTP/Hostname.domain.tld domain\SquaredUpAccount

      Where tld is the top level domain.

   6. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Duplicate SPN found - Troubleshooting Duplicate SPNs

   For more information see Troubleshooting Kerberos

    

   The next step is to enable the SquaredUp DS application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.

   How to configure Kerberos constrained delegation in Active Directory Users and Computers

   To configure Kerberos constrained delegation in the Active Directory:

   1. On a domain controller, open Active Directory Users and Computers.
   2. If the SquaredUp DS application pool is configured to use NetworkService, then navigate to the computer account for the web server. For example domain\webserver1. If you have configured SquaredUp DS to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup. See How to check and modify the application pool identity).
   3. Right-click and select Properties.

   4. Click on the Delegation tab.

      If the Delegation tab is not visible, first check that you are looking at the correct user or computer account, then check that the SPN has been set correctly for this user or computer as described above.

   5. Check Trust this user/computer for delegation to specified services only. (We could also set Trust this user/computer for delegation to any service, but this is less secure than defining a list of specified services.)
   6. Click Add, then Users or Computers.
   7. If the System Center Data Access Service is running as Local System, locate the SCOM server. If the System Center Data Access Service is running as a service account locate that service account. See Checking the System Center Data Access Service run as account.
   8. From the list of available services click on MSOMSdkSvc.

      If the MSOMSdkSvc service is not available, first check that you are looking at the correct user or computer account, then check that the SCOM SPNs are correct, see Troubleshooting Kerberos.

      

   9. Click OK, and then Apply.

      

   How to configure delegation using the Attribute Editor tab when using a group Managed Service Account (gMSA)

   These steps describe how to use the Attribute Editor tab in Active Directory Users and Computers to configure the delegation stage of Windows Authentication. This can be useful when using gMSA accounts for either the SquaredUp application pool account or the SCOM DAS account:

   • When using a group Managed Service Account (gMSA) for the SCOM Data Access Server Run As account you can't search for a gMSA when carrying out delegation, even though you're looking at the Delegate tab on the SquaredUp app pool identity.

   • When using a group Managed Service Account (gMSA) for the SquaredUp application pool identity the Delegate tab is not shown when looking at the properties of the gMSA that is the SquaredUp app pool identity.

   Both these circumstances mean you need the procedure below to configure delegation.

   SCOM 2019 UR1 and later supports group managed service accounts (gMSA) see Microsoft: Operations Manager 2019 UR1 Support for group managed service accounts and The Monitoring Guys: Implementing gMSA in SCOM 2019 UR1

    

   The Attribute Editor allows another way to configure Kerberos delegation when it can't be done from the Delegation tab.

   1. In Active Directory Users and Computers on a domain controller go to View and click on Advanced features. This will enable Advanced features and allow you to see the Attribute Editor tab.

      

   2. In Active Directory Users and Computers browse to the SquaredUp server or app pool account as normal, depending on whether the app pool account is Network Service or a user account.

   3. Instead of going to the Delegation tab, as you normally would, click on the Attribute Editor tab which is now visible.

   4. Scroll down and click on the msDS-AllowedToDelegateTo attribute:

      

   5. Click Edit.

   6. Add two values, like in this screenshot, to match the SPNs you have configured, with the short and fully qualified domain name (FQDN) of your SCOM server.

      

   7. Reboot the SquaredUp server for the changes to take effect.

   If the SPNs have already been correctly configured to use the gMSA then single sign-on should work. If it doesn't work then you'll need to check the SPNs are configured correctly. The best way to do this is by running the Kerberos script see Troubleshooting Kerberos

6. Restart the SquaredUp server.
   We strongly recommend restarting the SquaredUp server to clear any cached Active Directory account information.

7. Your browser, and other users' browsers, must be configured to use automatic logon for all your SquaredUp DS URLs. The steps below describe how to configure the browser on each client (not on the server), you can test this in your own client's browser, then your organization should apply the settings to all users' browsers, perhaps using Group Policy.

   Internet Explorer

   Add the fully qualified domain name (FQDN) of all SquaredUp servers e.g. webserver1.domain.local (and load balanced address if using) to the list of local intranet sites, and select automatic logon, as described below. These two settings prevent the browser logon box from popping up, and allow the Windows authentication logon to be used for SquaredUp DS.

   Please note that your domain settings may differ from the Internet Explorer defaults, so we recommend that you review the settings below.

   1. Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced

   2. Enter the fully qualified domain name (FQDN) for your SquaredUp server(s), and click Add, then Close, then OK.

      When using multiple load balanced servers you must add the FQDN of each server, and also the load balanced address.

      

   3. Click on Local intranet and then Custom level

      

   4. Scroll to the bottom of the settings and verify that either of the following settings are enabled:

      Automatic logon with current user name and password

      Automatic logon only in Intranet zone

      

   5. Click OK, then Yes, then OK.

   6. Add the sites to the local intranet sites on ALL clients. (For example using Group Policy, see Internet Explorer prompting for credentials - Windows authentication (Clint Boessen's blog)).

   Chrome

   By default, Chrome uses the Internet Explorer local intranet sites configuration. Follow the steps for Internet Explorer.

   In addition, Chrome requires that Kerberos constrained delegation is explicitly configured.

   For more details, see The Chromium Projects - HTTP authentication

   Firefox

   Firefox requires explicit configuration to enable Windows authentication.

   1. Type about:config in the location bar.
   2. Type network.negotiate-auth.trusted-uris in the search box.

   3. Double-click on the setting returned and type the SquaredUp server name and then the fully qualified domain name (FQDN) separated by a comma and a space. Do not include the http:// or https://

      

      When using multiple load balanced servers you should add the FQDN of each server, and also the load balanced address.

   4. Click OK.
   5. Repeat these steps for the network.negotiate-auth.delegation-uris setting.

8. Verify the configuration.

   How to verify the configuration

   Check that SquaredUp DS is now accessible:

   1. Log on to a client machine as a SCOM user, using a different user account to that with which you are logged on to the SquaredUp Server. (Note that it must be a different account, otherwise Windows authentication may reuse your server logon session and it may appear to succeed even if it is misconfigured).

   2. Browse to SquaredUp DS. Check the servers short address and the fully qualified domain name (FQDN):

      http://SquaredUpServer/SquaredUp and http://SquaredUpServer.domain.tld/SquaredUp

      If you are using multiple servers, check the short and FQDN names for all servers, and also the load balanced address.

   3. If SquaredUp DS opens, check that graphs are shown. If they are not, check the Data Warehouse connection (see Troubleshooting the Data Warehouse connection).

Please contact SquaredUp Support if you experience any problems and reply to the automatic response with the output of the SquaredUp DS Diagnostics (see Collecting diagnostic information) and, if possible, a screenshot of the problem.

How to enable Windows authentication when SquaredUp DS is installed on multiple load balanced servers

Choose this option if SquaredUp DS is deployed on two or more load balanced, dedicated servers and not installed on SCOM management servers.

The diagram above shows two SquaredUp servers, a Primary and a Secondary server, with a load balancer in front of them.

SquaredUp DS accesses SCOM using the end user's credentials. When Windows authentication is being used and SquaredUp DS is deployed on a dedicated server, the end user first authenticates with the SquaredUp server, and then the SquaredUp server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time is known as a 'double-hop' and requires Kerberos delegation to be enabled.

Kerberos delegation is notoriously difficult to configure. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly. For more information on Kerberos and how it operates, see here.

1. Make sure SquaredUp DS has been installed and the initial configuration wizard (licensing etc) has been completed.

2. Make sure High availability (HA) has been configured (see Enabling High Availability).

3. Make sure the load balancer has been configured.

4. Configure SquaredUp DS to use a domain service account.

   When load balancing between SquaredUp servers, the SquaredUp DS application pool identity must be set to a domain service account, rather than the default of Network Service. Follow the article How to check and modify the application pool identity to change the application pool identity from Network Service to a domain service account on each server.

5. Enable Windows authentication using the SquaredUp DS configuration script.

   How to enable Windows authentication using the SquaredUp DS configuration script

   Modifying the configuration causes the web application to restart and all users will be logged off.

   1. On the SquaredUp server click on the Start button and type:command prompt

   2. Navigate to the instance for which you wish to change authentication.

      For example:

      cd C:\inetpub\wwwroot\SquaredUp

      Where to find the SquaredUp folder

      Name of the SquaredUp folder

      The default name of the SquaredUp folder is SquaredUp for v6 and above.

      For v5 it is SquaredUpv5, and for v4 SquaredUpv4.

      Location of the SquaredUp folder

      A custom location may have been chosen during the installation.

      The default location for the SquaredUp folder is C:\inetpub\wwwroot\SquaredUp

      For v5 it is C:\inetpub\wwwroot\SquaredUpv5 and for v4 C:\inetpub\wwwroot\SquaredUpv4.

   3. Run the SquaredUp command followed by windows:

      squaredup windows

      What is the SquaredUp command for older versions?

      The SquaredUp command for v6 and above is SquaredUp. This is followed by an operator for the task you are carrying out, for example SquaredUp forms, SquaredUp windows, or SquaredUp ha.

      The SquaredUp command for v5 it is SquaredUp5, and for v4 SquaredUp4.

6. Configure Kerberos constrained delegation.

   This Kerberos constrained delegation setting is different from the other constrained delegation settings for single servers.

   You need to allow the SquaredUp DS application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.

   The following steps require changes to the Active Directory account used by the SquaredUp DS application pool. This is referred to as the SquaredUpAccount in the steps below. It is important to know which account is used by SquaredUp DS before proceeding. See How to check and modify the application pool identity.

   You need to create SPNs for the individual servers and for the load balanced address, for example lb-ha.

   How to create SPNs

   Think of SPNs as pseudo-accounts that represent a service endpoint, such as the SquaredUp DS website. They allow Kerberos to authenticate between a real end user and a service. SPNs must be created for each address the user connects to, and must be associated with the actual account used by the service, in our case this is the SquaredUp DS application pool identity. For more information on SPNs and how they work see here.

   We can create the required SPNs by running commands from a command prompt on the domain controller, the domain account used must have SCOM admin permissions.

   The HTTP service class that we use here for SPNs, differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class.

   1. On a domain controller, click on the Start button and type:

      command prompt

   2. Right-click on the Command Prompt icon and click Run as administrator.

   3. Type the following to set the SPN for each individual servers fully qualified domain name (FQDN):

      SETSPN -S HTTP/webserver1.domain.tld domain\SquaredUpAccount

      Where webserver1 should be replaced by the name of the server where SquaredUp DS is installed, domain by your domain name, tld is the top level domain, and SquaredUpAccount is the domain service account that you set as the SquaredUp DS application pool identity.

   4. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Duplicate SPN found - Troubleshooting Duplicate SPNs.

   5. Next type the following to set the SPN for each individual server short address:

      SETSPN -S HTTP/webserver1 domain\SquaredUpAccount

   6. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Duplicate SPN found - Troubleshooting Duplicate SPNs.
   7. Repeat the above steps for all other SquaredUp servers.

   8. Next, we'll create the SPNs for the load balanced address.

      Type the following to set the SPN for the load balancer fully qualified domain name (FQDN):

      SETSPN -S HTTP/LoadBalancedAddress.domain.tld domain\SquaredUpAccount

      Where LoadBalancedAddress is the address you specified in DNS Manager, domain is your domain name, tld is the top level domain, and SquaredUpAccount is the domain service account that you set as the SquaredUp DS application pool identity (see How to check and modify the application pool identity).

      For example:

      SETSPN -S HTTP/lb-ha.squpinternal.net squpinternal\CALBAppPool

   9. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Duplicate SPN found - Troubleshooting Duplicate SPNs.

   10. Next type the following to set the SPN for the load balancer short address:

       SETSPN -S HTTP/LoadBalancedAddress domain\SquaredUpAccount

   11. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Duplicate SPN found - Troubleshooting Duplicate SPNs.

   12. To check the SPNs are configured correctly type:

       SETSPN -L SquaredUpAccount

   You should see at least 6 SPNs. Two that we have just set for the load balanced address, two for the Primary SquaredUp server and two for the Secondary SquaredUp server (and two for each other SquaredUp server):

   

    

   If you have another address that you use to browse to SquaredUp DS, for example in your bindings or in DNS Manager, you should create two further SPNs, one for the shorter address and another for the fully qualified domain name (FQDN).

   How to create further SPNs

   If you have another address you use to access SquaredUp DS, for example a DNS alias or alternative binding, you should create two additional SPNs for this address, the shorter address and the fully qualified domain name (FQDN).

   1. On a domain controller click on the Start button type:

      Command Prompt

   2. Right-click on the Command Prompt icon and click Run as administrator

   3. Type:

      SETSPN -S HTTP/Hostname domain\SquaredUpAccount

      Where Hostname is the address you specified in DNS Manager,domain is your domain, and SquaredUpAccount is the domain service account that you set as the SquaredUp DS application pool identity.

   4. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Duplicate SPN found - Troubleshooting Duplicate SPNs

   5. Once complete, type the following for the fully qualified domain name (FQDN):

      SETSPN -S HTTP/Hostname.domain.tld domain\SquaredUpAccount

      Where tld is the top level domain.

   6. Check that it shows Updated Object. If it shows Duplicate SPN found, aborting operation! see Duplicate SPN found - Troubleshooting Duplicate SPNs

   For more information see Troubleshooting Kerberos

    

   The next step is to enable the SquaredUp DS application to use the end user's identity when connecting to SCOM. This is referred to as a 'double-hop' and requires Kerberos constrained delegation to be configured.

   How to configure Kerberos constrained delegation in Active Directory Users and Computers

   To configure Kerberos constrained delegation:

   CA - The steps here only cover using a domain service account for the SquaredUp app pool identity, as this must be used when load balancing. Network Service cannot be used because then the account name needs to be the same for both servers not different.

   1. On a domain controller, open Active Directory Users and Computers.
   2. As you have configured SquaredUp DS to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup. See How to check and modify the application pool identity.

      When load balancing between SquaredUp servers, the SquaredUp DS application pool identity must be set to a domain service account, rather than the default of Network Service. Follow the article How to check and modify the application pool identity to change the application pool identity from Network Service to a domain service account on each server.

   3. Right-click and select Properties.

   4. Click on the Delegation tab.

      If the Delegation tab is not visible, first check that you are looking at the correct user or computer account, then check that the SPN has been set correctly for this user or computer as described above.

   5. Check Trust this user/computer for delegation to specified services only. (We could also set Trust this user/computer for delegation to any service, but this is less secure than defining a list of specified services.)
   6. Click Add, then Users or Computers.
   7. If the System Center Data Access Service is running as Local System, locate the SCOM server. If the System Center Data Access Service is running as a service account locate that service account. See Checking the System Center Data Access Service run as account.
   8. From the list of available services click on MSOMSdkSvc.

   9. If the MSOMSdkSvc service is not available, first check that you are looking at the correct user or computer account, then check that the SCOM SPNs are correct, see Configuring SPNs for SCOM

      

   10. Click OK, and then Apply.

       

   How to configure delegation using the Attribute Editor tab when using a group Managed Service Account (gMSA)

   These steps describe how to use the Attribute Editor tab in Active Directory Users and Computers to configure the delegation stage of Windows Authentication. This can be useful when using gMSA accounts for either the SquaredUp application pool account or the SCOM DAS account:

   • When using a group Managed Service Account (gMSA) for the SCOM Data Access Server Run As account you can't search for a gMSA when carrying out delegation, even though you're looking at the Delegate tab on the SquaredUp app pool identity.

   • When using a group Managed Service Account (gMSA) for the SquaredUp application pool identity the Delegate tab is not shown when looking at the properties of the gMSA that is the SquaredUp app pool identity.

   Both these circumstances mean you need the procedure below to configure delegation.

   SCOM 2019 UR1 and later supports group managed service accounts (gMSA) see Microsoft: Operations Manager 2019 UR1 Support for group managed service accounts and The Monitoring Guys: Implementing gMSA in SCOM 2019 UR1

    

   The Attribute Editor allows another way to configure Kerberos delegation when it can't be done from the Delegation tab.

   1. In Active Directory Users and Computers on a domain controller go to View and click on Advanced features. This will enable Advanced features and allow you to see the Attribute Editor tab.

      

   2. In Active Directory Users and Computers browse to the SquaredUp server or app pool account as normal, depending on whether the app pool account is Network Service or a user account.

   3. Instead of going to the Delegation tab, as you normally would, click on the Attribute Editor tab which is now visible.

   4. Scroll down and click on the msDS-AllowedToDelegateTo attribute:

      

   5. Click Edit.

   6. Add two values, like in this screenshot, to match the SPNs you have configured, with the short and fully qualified domain name (FQDN) of your SCOM server.

      

   7. Reboot the SquaredUp server for the changes to take effect.

   If the SPNs have already been correctly configured to use the gMSA then single sign-on should work. If it doesn't work then you'll need to check the SPNs are configured correctly. The best way to do this is by running the Kerberos script see Troubleshooting Kerberos

7. Restart the SquaredUp servers.
   We strongly recommend restarting the SquaredUp servers to clear any cached account information.

8. Your browser, and other users' browsers, must be configured to use automatic logon for all your SquaredUp DS URLs. The steps below describe how to configure the browser on each client (not on the server), you can test this in your own client's browser, then your organization should apply the settings to all users' browsers, perhaps using Group Policy.

   Internet Explorer

   Add the fully qualified domain name (FQDN) of all SquaredUp servers e.g. webserver1.domain.local (and load balanced address if using) to the list of local intranet sites, and select automatic logon, as described below. These two settings prevent the browser logon box from popping up, and allow the Windows authentication logon to be used for SquaredUp DS.

   Please note that your domain settings may differ from the Internet Explorer defaults, so we recommend that you review the settings below.

   1. Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced

   2. Enter the fully qualified domain name (FQDN) for your SquaredUp server(s), and click Add, then Close, then OK.

      When using multiple load balanced servers you must add the FQDN of each server, and also the load balanced address.

      

   3. Click on Local intranet and then Custom level

      

   4. Scroll to the bottom of the settings and verify that either of the following settings are enabled:

      Automatic logon with current user name and password

      Automatic logon only in Intranet zone

      

   5. Click OK, then Yes, then OK.

   6. Add the sites to the local intranet sites on ALL clients. (For example using Group Policy, see Internet Explorer prompting for credentials - Windows authentication (Clint Boessen's blog)).

   Chrome

   By default, Chrome uses the Internet Explorer local intranet sites configuration. Follow the steps for Internet Explorer.

   In addition, Chrome requires that Kerberos constrained delegation is explicitly configured.

   For more details, see The Chromium Projects - HTTP authentication

   Firefox

   Firefox requires explicit configuration to enable Windows authentication.

   1. Type about:config in the location bar.
   2. Type network.negotiate-auth.trusted-uris in the search box.

   3. Double-click on the setting returned and type the SquaredUp server name and then the fully qualified domain name (FQDN) separated by a comma and a space. Do not include the http:// or https://

      

      When using multiple load balanced servers you should add the FQDN of each server, and also the load balanced address.

   4. Click OK.
   5. Repeat these steps for the network.negotiate-auth.delegation-uris setting.

9. Verify the configuration.

   How to verify the configuration

   Check that SquaredUp DS is now accessible:

   1. Log on to a client machine as a SCOM user, using a different user account to that with which you are logged on to the SquaredUp Server. (Note that it must be a different account, otherwise Windows authentication may reuse your server logon session and it may appear to succeed even if it is misconfigured).

   2. Browse to SquaredUp DS. Check the servers short address and the fully qualified domain name (FQDN):

      http://SquaredUpServer/SquaredUp and http://SquaredUpServer.domain.tld/SquaredUp

      If you are using multiple servers, check the short and FQDN names for all servers, and also the load balanced address.

   3. If SquaredUp DS opens, check that graphs are shown. If they are not, check the Data Warehouse connection (see Troubleshooting the Data Warehouse connection).

Please contact SquaredUp Support if you experience any problems and reply to the automatic response with the output of the SquaredUp DS Diagnostics (see Collecting diagnostic information) and, if possible, a screenshot of the problem.

How to enable Forms authentication

Forms authentication is enabled by default when SquaredUp DS is installed. If you have previously configured Windows authentication and would like to switch back to Forms authentication, follow the instructions below.

Modifying the configuration causes the web application to restart and all users will be logged off.

1. Open a command prompt (cmd.exe) on the SquaredUp web server.

2. Navigate to the instance for which you wish to change authentication.

   For example:

   cd C:\inetpub\wwwroot\SquaredUp

   Where to find the SquaredUp folder

   Name of the SquaredUp folder

   The default name of the SquaredUp folder is SquaredUp for v6 and above.

   For v5 it is SquaredUpv5, and for v4 SquaredUpv4.

   Location of the SquaredUp folder

   A custom location may have been chosen during the installation.

   The default location for the SquaredUp folder is C:\inetpub\wwwroot\SquaredUp

   For v5 it is C:\inetpub\wwwroot\SquaredUpv5 and for v4 C:\inetpub\wwwroot\SquaredUpv4.

3. Then run the SquaredUp command followed by forms:

   squaredup forms

   What is the SquaredUp command for older versions?

   The SquaredUp command for v6 and above is SquaredUp. This is followed by an operator for the task you are carrying out, for example SquaredUp forms, SquaredUp windows, or SquaredUp ha.

   The SquaredUp command for v5 it is SquaredUp5, and for v4 SquaredUp4.

4. If you have previously configured SPNs or Kerberos constrained delegation settings in Active Directory, these can be reverted after switching to Forms authentication.