Troubleshooting Kerberos
SquaredUp DS Kerberos script
The SquaredUp DS Kerberos script Debug-SquaredUpKerberos.ps1 queries the Kerberos configuration.
To download and run the Kerberos script see Collecting diagnostic information
The results are shown on screen and when an issue is identified a message is displayed which you can use to resolve the issue, using the information in this article.
Please contact SquaredUp Support
If the Kerberos script doesn't identify any issues but you are still prompted by the browser for a username and password, see the end of this article.
Issues identified by the Kerberos Script
- SPN 'HTTP/SquaredUpServer' exists but it is not registered to identity 'domain\SquaredUpAccount'
- SPN 'MSOMSdkSvc/SCOMServer' exists but it is not registered to identity 'domain\SCOMIdentity'
- Troubleshooting Duplicate SPNs ("Found duplicate SPNs")
- "Checking the SquaredUp account delegation settings...FAIL The SquaredUp account AD entry (domain\SquaredUpAccount) is not configured for delegation to SPN 'MSOMSdkSvc/SCOMServer'"
Other issues covered:
- How to configure SPNs when accessing SquaredUp DS via an address that is not the SquaredUp server name
- Delegation tab is missing when carrying out delegation
- The MSOMSdkSvc service is not listed when carrying out delegation
- Checking the System Center Data Access Service run as account
- Still presented with the browser logon box
- Check Windows authentication 'Providers'
- How to enable Kerberos event logging
- Check that delegation has been set up
SPN 'HTTP/SquaredUpServer' exists but it is not registered to identity 'domain\SquaredUpAccount'
The script has identified an SPN for the SquaredUp server but it is not registered to the SquaredUp DS application pool identity. This may be because the SquaredUp DS application pool identity has been changed. Follow the steps below to reconfigure the SPNs for the new SquaredUp DS application pool identity.
Configuring SPNs for the SquaredUp server
HTTP service SPNs need to be configured for each SquaredUp server. It is important to know the SquaredUp DS application pool identity as this determines the account the SPN is registered to.
- On a domain controller, click on the Start button and type:
command prompt - Right-click on the Command Prompt icon and click Run as administrator.
- Type:
SETSPN -S HTTP/SquaredUpServer domain\SquaredUpAccountSquaredUpServershould be replaced by the name of the server where SquaredUp DS is installed, anddomainby your domain name.SquaredUpAccountshould be replaced by the SquaredUp DS application pool identity.
If the SquaredUp DS application pool is configured to use NetworkService, then theSquaredUpAccountis the computer account for the web server. For example, if SquaredUp DS is running on server webserver1.domain.local then use domain\webserver1.
If you have configured SquaredUp DS to use a domain service account then this account should be used. For example, if your domain service account is domain\svc-squaredup then use domain\svc-squaredup.
If you are unsure which account SquaredUp DS is configured to use, check the SquaredUp DS application pool configuration (How to check and modify the application pool identity). - This may report
Duplicate SPN found, aborting operation!. The output also very usefully shows the account that is already registered to the SPN. See Troubleshooting Duplicate SPNs and Duplicate SPN found - Troubleshooting Duplicate SPNs to delete the existing SPN and recreate it. - Repeat these steps for the fully qualified domain name (FQDN) of the SquaredUp server:
SETSPN -S HTTP/SquaredUpServer.domain.tld domain\SquaredUpAccount
Wheretldis the top level domain. - Run the SquaredUp DS Kerberos script to see if any further problems are reported (see Collecting diagnostic information).
If you have another address that you use to browse to SquaredUp DS, for example in your bindings or in DNS Manager, you should create two further SPNs, one for the shorter address and another for the fully qualified domain name (FQDN).
If you have another address you use to access SquaredUp DS, for example a DNS alias or alternative binding, you should create two additional SPNs for this address, the shorter address and the fully qualified domain name (FQDN).
- On a domain controller click on the Start button type:
Command Prompt - Right-click on the Command Prompt icon and click Run as administrator
- Type:
SETSPN -S HTTP/Hostname domain\SquaredUpAccount
WhereHostnameis the address you specified in DNS Manager,domainis your domain, andSquaredUpAccountis the domain service account that you set as the SquaredUp DS application pool identity. - Check that it shows
Updated Object. If it showsDuplicate SPN found, aborting operation!see Duplicate SPN found - Troubleshooting Duplicate SPNs - Once complete, type the following for the fully qualified domain name (FQDN):
SETSPN -S HTTP/Hostname.domain.tld domain\SquaredUpAccount
Wheretldis the top level domain. - Check that it shows
Updated Object. If it showsDuplicate SPN found, aborting operation!see Duplicate SPN found - Troubleshooting Duplicate SPNs
For more information see Troubleshooting Kerberos
SPN 'MSOMSdkSvc/SCOMServer' exists but it is not registered to identity 'domain\SCOMIdentity'
The script has identified an SPN for the SCOM server but it is not registered to the System Center Data Access Service run as account. This may be because the System Center Data Access Service run as account has changed. Follow the steps below to reconfigure the SPNs for the new System Center Data Access Service run as account.
Configuring SPNs for SCOM
MSOMSdkSvc service SPNs need to be configured for the SCOM server. It is important to know the System Center Data Access Service run as account as this determines the account the SPN is registered to. For more information see OpsMgr 2012: What should the SPN’s look like?
When load balancing SCOM (whether using Network Load Balancing or a hardware load balancer) all the SCOM servers must have their System Center Data Access service running as the same service account See the Service Principal Names section at the end of this Technet article.
- On a domain controller, click on the Start button and type:
command prompt - Right-click on the Command Prompt icon and click Run as administrator.
- Type the following to set the SPN for the server short address:
SETSPN -S MSOMSdkSvc/SCOMServer domain\SCOMIdentitySCOMServershould be replaced by the name of the SCOM server, anddomainby your domain name.SCOMIdentityshould be replaced by the System Center Data Access Service run as account.
If the System Center Data Access Service is running as Local System, then the account should be the computer account for the SCOM server.
If the System Center Data Access Service is running as a service account then the account should be that service account.
See Checking the System Center Data Access Service run as account. - This may report
Duplicate SPN found, aborting operation!. The output also very usefully shows the account that is already registered to the SPN. SeeSee Troubleshooting Duplicate SPNs and Duplicate SPN found - Troubleshooting Duplicate SPNs to delete the existing SPN and recreate it. - Repeat these steps for the fully qualified domain name (FQDN) of the SCOM server:
SETSPN -S MSOMSdkSvc/SCOMServer.domain.tld domain\SCOMIdentity
Wheretldis the top level domain. - Run the SquaredUp DS Kerberos script to see if any further problems are reported (see Collecting diagnostic information).
"Checking the SquaredUp account delegation settings...FAIL The SquaredUp account AD entry (domain\SquaredUpAccount) is not configured for delegation to SPN 'MSOMSdkSvc/SCOMServer'"
The Kerberos script shows the following error:"Checking the SquaredUp account delegation settings...FAILThe SquaredUp account AD entry (domain\SquaredUpAccount) is not configured for delegation to SPN 'MSOMSdkSvc/SCOMServer'" You need to configure delegation in the Active Directory from the SquaredUpAccount to the System Center Data Access Service account:
- On a domain controller, open Active Directory Users and Computers.
- Navigate to the SquaredUpAccount mentioned in the error message (this should be SquaredUp DS application pool account, see How to check and modify the application pool identity).
- Right-click on the account and select Properties.
- Click on the Delegation tab. (If the Delegation tab is not there see Delegation tab is missing when carrying out delegation).
- Check Trust this user/computer for delegation to specified services only.
- Click Add, then Users or Computers.
- Locate the System Center Data Access Service account. The SCOM DAS identity account you need is shown on the Kerberos script output as "Determining SCOM identity for kerberos... OK ; OMSDK.Account=domain\SCOMIdentity"
See Checking the System Center Data Access Service run as account - From the list of available services click on MSOMSdkSvc. Careful not to select MSOMHSvc, you need MSOMSdkSvc. If MSOMSdkSvc is not available follow The MSOMSdkSvc service is not listed when carrying out delegation.
- At this point we strongly recommend restarting the SquaredUp servers to clear any cached account information.
- Run the SquaredUp DS Kerberos script to see if this error has been resolved and if any further errors are reported (see Collecting diagnostic information).
Troubleshooting Duplicate SPNs
After running a SETSPN -S command you may see Duplicate SPN found, aborting operation!
The Kerberos script may fail with the message Found duplicate SPNs
See Duplicate SPN found - Troubleshooting Duplicate SPNs
How to configure SPNs when accessing SquaredUp DS via an address that is not the SquaredUp server name
This applies if:
- You want to enable Windows authentication (single sign-on)
- SquaredUp DS is not installed on SCOM management servers
- You have another address you use to access SquaredUp DS, for example a DNS alias or alternative binding, which is not the SquaredUp server name.
If you have another address you use to access SquaredUp DS, for example a DNS alias or alternative binding, you should create two additional SPNs for this address, the shorter address and the fully qualified domain name (FQDN).
- On a domain controller click on the Start button type:
Command Prompt - Right-click on the Command Prompt icon and click Run as administrator
- Type:
SETSPN -S HTTP/Hostname domain\SquaredUpAccount
WhereHostnameis the address you specified in DNS Manager,domainis your domain, andSquaredUpAccountis the domain service account that you set as the SquaredUp DS application pool identity. - Check that it shows
Updated Object. If it showsDuplicate SPN found, aborting operation!see Duplicate SPN found - Troubleshooting Duplicate SPNs - Once complete, type the following for the fully qualified domain name (FQDN):
SETSPN -S HTTP/Hostname.domain.tld domain\SquaredUpAccount
Wheretldis the top level domain. - Check that it shows
Updated Object. If it showsDuplicate SPN found, aborting operation!see Duplicate SPN found - Troubleshooting Duplicate SPNs
For more information see Troubleshooting Kerberos
Delegation tab is missing when carrying out delegation
The Delegation tab can be missing if you have opened the wrong account in Active Directory Users and Computers, or if the HTTP SPNs have not been configured for that account.
The delegation tab is only available after an SPN attribute has been added to the active directory object.
- Check that you have opened the correct account in Active Directory Users and Computers. You should open the 'SquaredUp account', i.e. the application pool identity:
- If the SquaredUp DS application pool is configured to use NetworkService, then navigate to the computer account for the web server. For example, domain\webserver1.
- If you have configured SquaredUp DS to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup.
For more information see How to check and modify the application pool identity.
- If the Delegation tab is still missing once you are opening the correct account in Active Directory Users and Computers then you should run the Kerberos script, to help identify the SPN problem. It is likely you will see either SPN 'HTTP/SquaredUpServer' exists but it is not registered to identity 'domain\SquaredUpAccount' or "Found duplicate SPNs" (see Troubleshooting Duplicate SPNs) and you should follow those steps to fix the SPN problem.
If the Delegation tab is shown but the MSOMSdkSvc option is missing then see SPN 'MSOMSdkSvc/SCOMServer' exists but it is not registered to identity 'domain\SCOMIdentity'
The MSOMSdkSvc service is not listed when carrying out delegation
The MSOMSdkSvc option is not listed if you have opened the wrong account in Active Directory Users and Computers, or if the MSOMSdkSvc SPN has not been configured correctly for the SCOM Data Access service run as account (or if using 'local service', the SCOM server computer).
- First, check that you have opened the correct account:
If the SquaredUp DS application pool is configured to use NetworkService, then navigate to the computer account for the web server. For example domain\webserver1.
If you have configured SquaredUp DS to use a domain service account then navigate to this domain service account. For example, domain\svc-squaredup. See How to check and modify the application pool identity. - Secondly, when you're on the Delegation tab, check that you're adding the correct account:
If the System Center Data Access Service is running as Local System, locate the SCOM server.
If the System Center Data Access Service is running as a service account locate that service account. See Checking the System Center Data Access Service run as account. - If the MSOMSdkSvc service is not listed for this account, then you should run the Kerberos script, to help identify the SPN problem (see Collecting diagnostic information).
It is likely you will see either SPN 'HTTP/SquaredUpServer' exists but it is not registered to identity 'domain\SquaredUpAccount' or "Found duplicate SPNs" (see Troubleshooting Duplicate SPNs) and you should follow those steps to fix the SPN problem.
Normally the SPNs are created automatically, but if they could not be created initially or the account running the System Center Data Access Service has changed, then the SPNs need to be created now, see Configuring SPNs for SCOM.
Once the SPNs are set correctly the MSOMSdkSvc service will be listed when carrying out delegation.
Checking the System Center Data Access Service run as account
- To check the System Center Data Access Service (DAS) run as account on the SCOM server click on the Start button and type
services. - Locate the System Center Data Access Service and check the Log On As column to see whether the server is running as Local System or as a specific service account.
When you run the Kerberos script the System Center Data Access Service account you need is shown on the Kerberos script output:
"Determining SCOM identity for kerberos... OK ; OMSDK.Account=domain\SCOMIdentity"
Still presented with the browser logon box
If the Kerberos script does not show any errors please check the following:
- Restart the SquaredUp server(s).
- Re-run the
squaredup windowscommand on the SquaredUp server(s). See the relevant article linked from User authentication methods for SquaredUp DS for SCOM. - Configure the browsers to use Windows authentication
- Check Windows authentication 'Providers'
- Enable Kerberos event logging (see How to enable Kerberos event logging).
Re-run the squaredup windows command
Modifying the configuration causes the web application to restart and all users will be logged off.
- On the SquaredUp server click on the Start button and type:
command prompt - Navigate to the instance for which you wish to change authentication.
For example:cd C:\inetpub\wwwroot\SquaredUpThe default location for the SquaredUp folder is
C:\inetpub\wwwroot\SquaredUpFor v5 it is
C:\inetpub\wwwroot\SquaredUpv5and for v4C:\inetpub\wwwroot\SquaredUpv4.Name of the SquaredUp folderA custom location may have been chosen during the installation.
The default name of the SquaredUp folder is
SquaredUpfor v6 and above.For v5 it is
SquaredUpv5, and for v4SquaredUpv4. - Run the SquaredUp command followed by
windows:squaredup windowsThe SquaredUp command for v6 and above is
SquaredUp. This is followed by an operator for the task you are carrying out, for exampleSquaredUp forms,SquaredUp windows, orSquaredUp ha.The SquaredUp command for v5 it is
SquaredUp5, and for v4SquaredUp4.
Configure the browsers to use Windows authentication
Your browser, and other users' browsers, must be configured to use automatic logon for all your SquaredUp DS URLs. The steps below describe how to configure the browser on each client (not on the server), you can test this in your own client's browser, then your organization should apply the settings to all users' browsers, perhaps using Group Policy.
Add the fully qualified domain name (FQDN) of all SquaredUp servers e.g. webserver1.domain.local (and load balanced address if using) to the list of local intranet sites, and select automatic logon, as described below. These two settings prevent the browser logon box from popping up, and allow the Windows authentication logon to be used for SquaredUp DS.
Please note that your domain settings may differ from the Internet Explorer defaults, so we recommend that you review the settings below.
- Navigate to Tools > Internet Options > Security > Local intranet > Sites > Advanced
- Enter the fully qualified domain name (FQDN) for your SquaredUp server(s), and click Add, then Close, then OK.
When using multiple load balanced servers you must add the FQDN of each server, and also the load balanced address.
- Click on Local intranet and then Custom level
- Scroll to the bottom of the settings and verify that either of the following settings are enabled:
Automatic logon with current user name and passwordAutomatic logon only in Intranet zone
- Click OK, then Yes, then OK.
- Add the sites to the local intranet sites on ALL clients. (For example using Group Policy, see Internet Explorer prompting for credentials - Windows authentication (Clint Boessen's blog)).
By default, Chrome uses the Internet Explorer local intranet sites configuration. Follow the steps for Internet Explorer.
In addition, Chrome requires that Kerberos constrained delegation is explicitly configured.
For more details, see The Chromium Projects - HTTP authentication
Firefox requires explicit configuration to enable Windows authentication.
- Type
about:configin the location bar. - Type
network.negotiate-auth.trusted-urisin the search box. - Double-click on the setting returned and type the SquaredUp server name and then the fully qualified domain name (FQDN) separated by a comma and a space. Do not include the http:// or https://
When using multiple load balanced servers you should add the FQDN of each server, and also the load balanced address.
- Click OK.
- Repeat these steps for the
network.negotiate-auth.delegation-urissetting.
Check Windows authentication 'Providers'
If the SquaredUp DS Kerberos script finds all settings correct, but you are still seeing the browser login box, and entering the logon details of a SCOM user does not allow you access to SquaredUp DS, then you should check the Windows authentication 'Providers' as described below.
- On the SquaredUp server, open IIS, click on the SquaredUp DS application, then open Authentication from the middle pane. Right-click on Windows Authentication and select Providers.
- Check the list of Enabled Providers. It should show Negotiate, at the top of the list, NOTNegotiate:Kerberos. In the Providers list (under Actions on the right) ensure Negotiate is above NTLM using 'Move Up' and 'Move Down'.
- If Negotiate:Kerberos is listed please remove this, and add Negotiate.
- Click OK.
- Before testing, you'll need to close and reopen your browser.
How to enable Kerberos event logging
If it is proving difficult to narrow down the issue, enabling Kerberos event logging may help.
- Enable Kerberos event logging on the SquaredUp server, as described in the following Microsoft article, by setting the
LogLevelvalue to1:
How to enable Kerberos event logging - Once Kerberos logging is enabled on the SquaredUp server, go to a client and log out and in again and attempt to open SquaredUp DS.
- On the SquaredUp server open Event Viewer, then go to Windows logs > System, and look for any Kerberos errors.
- For assistance please contact SquaredUp Support
You should remove Kerberos event logging once Kerberos is configured correctly.
Check that delegation has been set up
We can run a PowerShell command to check how delegation has been configured.
You will need to know:
- Whether the SquaredUp DS application pool is running as Network Service, or a domain service account (How to check and modify the application pool identity).
- Whether the System Center Data Access Service on the SCOM server is running as local system or a service account.
- The relevant Distinguished Name (DN). If the SquaredUp DS application pool is running as Network Service then you will need the DN for the SquaredUp server name. If it is using a domain service account you will need the DN of that user account.
We will be running the next command on a domain controller, and you can find the Distinguished Name using PowerShell on a domain controller. For Network Service use Get-ADComputer SquaredUpServer, for a domain service account useGet-ADUser SquaredUpAccount. Alternatively, you can get the DN on a non-domain controller by running the relevant SETSPN command, either SETSPN -L SquaredUpServer or SETSPN -L SquaredUpAccount.
- On a domain controller click on the Start button type:
powershell - Right-click on the PowerShell icon and click Run as administrator.
Get-ADObject "CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld" -Properties msDS-AllowedToDelegateTo
WhereCN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tldis the Distinguished Name (DN)
You should have an output similar to the following:
DistinguishedName : CN=SquaredUpServer,OU=organizational unit,DC=domain,DC=tld msDS-AllowedToDelegateTo : {MSOMSdkSvc/SCOMServerName.domain.tld, MSOMSdkSvc/SCOMServerName} Name : SquaredUpServer ObjectClass : computer ObjectGUID : f044abee-7ea2-49c6-8704-de379fecd1d4
- Check the
msDS-AllowedToDelegateToline.
If the System Center Data Access Service on the SCOM server is running as local system then msDS-AllowedToDelegateTo should show the correct SCOM server.
If the System Center Data Access Service is running as a service account then msDS-AllowedToDelegateTo should show the service account.
This information maps to the Trust this user for delegation to specified services only checkbox.