Users unable to logon when Kerberos constrained delegation configured

If users are being presented with the SquaredUp DS logon screen see Troubleshooting users being unable to logon.

Symptoms

When users attempt to log on to SquaredUp DS they receive a browser-based login prompt.

The following error is logged in the SquaredUp DS log file (see Where to find log files):

[ERR] SCOM connectivity error: unauthorized System.UnauthorizedAccessException: The user does not have sufficient permission to perform the operation.

Cause

SquaredUp DS accesses SCOM using the end user's credentials. When Windows authentication is being used and SquaredUp DS is deployed on a dedicated server (not a SCOM server), the end user first authenticates with the SquaredUp server, and then the SquaredUp server impersonates the end user and authenticates with the SCOM Management Server. This requirement to authenticate a second time is known as a 'double-hop' and requires Kerberos delegation to be configured correctly.

Kerberos delegation involves complex configuration. It requires Kerberos authentication to be correctly functioning between client, web server and management server, and for configuration such as Service Principal Names (SPNs) to be configured correctly.

You may find that users logging on to SquaredUp DS on a client, who have also logged on to the browser on the SquaredUp server itself, will authenticate successfully. This is because their session can still be live on the SquaredUp server, which means it is in effect now only a one hop authentication between the client and SCOM. This can cause confusion when diagnosing the issue.

Resolution

Please follow the guide here User authentication methods for SquaredUp DS for SCOM.

And run through the Troubleshooting Kerberos article.