Kevin Holman's System Center Blog

Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of UseAre you interested in having a dedicated engineer that will be your Mic

Installing the Web Console on a 2008 Management Server - using Windows Authentication

Installing the Web Console on a 2008 Management Server - using Windows Authentication

  • Comments 23
  • Likes

Below is a step by step on taking a Windows 2008 Management Server, and adding the Web Console...  with the requirement of using Windows authentication.  The easiest method is to use Forms Based auth for Web Console servers.... but using Windows Auth is possible if you can leverage constrained delegation (more on this later).

 

I will start by running setup, and checking the prerequisites for the web console:

 

image

 

We need to add the Web Server Role, and make sure we include all required sub roles.  This is documented here:

http://blogs.technet.com/kevinholman/archive/2008/09/26/how-to-install-iis-on-server-2008-to-support-opsmgr-web-console-and-reporting.aspx

 

Once IIS is installed correctly - now run the pre-requisite check again:

image

 

All good.  At this point - we can run SetupOM.exe, and add the web console component.

We will choose Windows Authentication for this exercise.

 

Setup should complete.  If you get an error here.... you might need to open a case with Microsoft... as some hotfixes can possibly block additional OpsMgr roles from being added, such as the web console.  I have 951380, 954049, and 956240 installed.  I was not able to add the web console.... due to the following error:

 

Error 1334.The file File196.2FD07918_9082_437D_99BC_FD43602A4625 cannot be installed because the file cannot be found in cabinet file Data.Cab. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.
MSI (s) (00:84) [12:38:44:863]: Product: System Center Operations Manager 2007 -- Error 1334.The file File196.2FD07918_9082_437D_99BC_FD43602A4625 cannot be installed because the file cannot be found in cabinet file Data.Cab. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

image

 

If you are affected by this.... (common also when hotfixes wont apply) we need to do a little work in the registry....   open up HKCR\Installer\Products\DF6E5EFF035E66C49971553D96AA0E4D\Patches

image

 

Back this key up by exporting it first....  once backed up... delete the REG_SZ GUIDS, and then open the "Patches" REG_MULTI_SZ key, and delete all guids from there.  When done - it should look like so:

 

image

 

****Note:  If you are running a OpsMgr management group that was originally installed as RTM, then upgraded to SP1 - you might need to leave the following guids in place in the registry when attempting to use this workaround:

727B3A3ADCF2D1945BFF1FD34105570A    (this references MOM2007QFEPreSP1.msp)
8CABA70B215243145A51419A9073262F    (this references MOM2007SP1.msp)

OR - I have seen these on x64:

727B3A3ADCF2D1945BFF1FD34105570A is MOM2007QFEPreSP1.msp
8817A55B3D84652468BCF9B1E587B78F is MOM2007SP1.msp

 

 

 

Now - rerun setup....

Ok....  When setup is complete.... one thing we need to discuss.  KB 954049 is required for Server 2008 support.  If you had already applied this hotfix, you must now re-apply it in order to patch the web console files in the hotfix.  The simplest way is to find the MSP file for your OS version in the C:\Program Files\System Center 2007 Hotfix Utility\ folders.

And, once installed... make sure you re-import your original reg backup we took.  This workaround will typically get you through a web console add, or a hotfix install.

 

Once that is covered - lets test the console, from the management server itself.  Launch the web console from the shortcut on the start menu.

 

image

 

What you will likely see... is one or more security prompts asking for your username and password.... the console it trying to use Windows Auth.  Once this fails, you will be presented with a forms based authentication screen.... or an error.

 

If you check the OpsMgr event log - you will likely see these errors:

Log Name:      Operations Manager
Source:        Web Console
Date:          9/24/2008 1:06:11 PM
Event ID:      10
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      OMMS3.opsmgr.net
Description:
Instance: 5ogbhfrszo2xqx45iw2wid45.

Error: Data Abstraction Layer: Exception while connecting to the server 'omrms.opsmgr.net'
Thread was being aborted.

This means we need to set up Kerberos constrained delegation, so that Windows Auth can work.

 

1.  Check the SPN of the domain account used for the SDK service account.  For instance... my domain is OPSMGR, my SDK Account is OPSMGR\momsdk07, and my RMS is OMRMS.opsmgr.net.  I will begin... by inspecting the SPN's attached to my SDK account:

setspn /L OPSMGR\momsdk07

Results:

Registered ServicePrincipalNames for CN=momsdk07,OU=SCOM,OU=Accounts,OU=US,DC=opsmgr,DC=net:
        MSOMSdkSvc/OMRMS
        MSOMSdkSvc/omrms.opsmgr.net

This is good.  If for any reason these are missing - we need to add the MSOMSdkSvc class SPN of the RMS computer, to the domain account used for the SDK.  So in my case, this would look like:

setspn /a MSOMSdkSvc/OMRMS OPSMGR\momsdk07

setspn /a MSOMSdkSvc/OMRMSopsmgr.net OPSMGR\momsdk07

 

2.  Verify Domain Functional Level: If you are configuring constrained delegation, you need to verify that the domain controller is operating at Windows Server 2003 functional level. (Note: This is required for constrained delegation.)  Launch "Active Directory Domains and Trusts" with domain admin credentials.  In the console tree, right-click the domain for which you want to verify the domain level select Properties in the context menu.

 

image

 

 

3.  Verify user account options. 

Open AD Users and Computers, and find the SDK account.  Examine the properties, account tab, and ensure that "Account is sensitive and cannot be delegated" is NOT selected.

 

image

 

 

4.  Configure constrained delegation:

In ADUC, find the computer account that the web console is installed on. 

Right click it, choose properties, and select the Delegation tab.

If in a Windows Server 2003 domain, on the Delegation tab, click Trust this computer for delegation to specified services only.

And choose the Use Kerberos only radio button.

image

Click the Add button

In the Add Services dialogue click the Users and Computers button

In the Select Users or Computers dialogue specify the domain account that the SDK service is running under and click OK.

image

 

In the Add Services dialogue select the service type MSOMSdkSvc and click OK.

image

 

Click OK to close the Properties Dialogue.  When complete - it will appear as:

 

image

 

Once this is complete - Constraint Delegation is set up.  You might need to wait for AD replication, and might need to bounce the SDK service on the RMS for this to start working.

These constrained delegation steps work perfectly for Windows Server 2003 - however you might not be successful in Server 2008.  For my Server 2008 Web Console, I had to change the Delegation option for the Web Console server, to "Trust this Computer for delegation to any service (Kerberos only)"....

image

Comments
  • I have the web console setup on a server 2008 server.  The web console works in I long into the server with the scom administrator account which is also an administrator on the sever, but if I use any other account I get a

    "You do not have permission to view this directory or page."

  • Tim - a couple things - make sure those same users can launch a regular console... ensure they have access.

    Also - this was an old IIS restriction - make sure the users have log on locally rights to the Web Console server....

  • We have setup a single server configuration and cannot open the web console i tried to configure the settings but there is no SDK service account the account runs under local system!

  • If your web console is installed on the RMS - then this should just work... I dont know why it wouldnt unless there is an underlying problem with your IIS install.

    Is this on Server 2008?  If so - did you fully apply 954049 hotfix - and make sure the web console files got updated?

  • Mr Kevin Holman, you are indeed a SCOM 2007 legend. Many thanks for your expertise that is on display here for all to see. Your detailed walkthrough resolved my Web Console problems on my Windows 2008 host.

    Cheers!

  • Thanks a lot , that fixed my issues on win2k8 with a web console NOT installed on the rms thanks !!

  • quote: "Also - this was an old IIS restriction - make sure the users have log on locally rights to the Web Console server...."

    This has never been true with IIS websites (again security is only as good as its administrators :)) only if you're talking about FTP you are right.

    As for this walkthrough, it solved my problems on windows2008 (settings delegation to any service did solve it, yet another win2k8 bug?).

    Just one remark: ASP is not needed for the webconsole, but that's technically another document :)

  • I have followed your steps, but I run into a problem when I reintall the console. It keeps asking me to insert disk 1.  Even though I am using the DVD to install the web console, and there is only one disk. So I am confused.  And I cannot get the web console to install.  Any ideas?

  • Kevin,

     Interesting situation, I got the web console working per your instructions in both our QA and PROD environment where it was not installed on the RMS using WA.

    I then upgraded both machines to the R2 Version, no problems with the web console. I then Uninstall R2 from my QA box, reinstalled a fresh copy of R2, without going the upgrade path.

    Now the Web Console won't work anymore with WA. I have a feeling something in that Patch didn't make it into the R2 Version.

  • Try removing the web console - and reinstalling it.... I have seen this happen with the web console and it appears to be pretty random.

    See this article from Marnix:

    http://thoughtsonopsmgr.blogspot.com/2009/08/opsmgr-r2-webconsole-wont-start-after.html

  • Please update with R2 install on 2008 64bit. This out lines the Issue and I Confirmed you must install the Way the Log Specified

    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.opsmgr.general&tid=9513ea7f-3038-4c1a-9c4a-389ad4cc2836&cat=1232FE96-0840-07ED-2D82-2D19F8FFDDF0&lang=en&cr=US&sloc=&p=1

  • You comments, issue, and link - have nothing to do with this blog post?

    You had an issue getting the web console to work on your RMS.... this is about how to get it to work when NOT on the RMS.

    Or am I confused?

  • Thanks.  Although i kinda knew this as I look after Sharepoint 2007!

    An interesting aside is that this process also makes LiveMaps from SAVision use SSO too!  

    Even though their website and install docs say this cannot be done!

    Smart.

  • I have been trying to install the sp1 hotfix- KB971541, which bombed until i removed the web console(as opposed to contacting PSS as you mentioned). now it won't reinstall -even after removing the reg keys you mentioned. there is no pop up error message, the installer just starts rolling back, then says the installation was interrupted. what is there to try at this stage? thanks!

  • We have two seperate forests that have a trust in between ... Will SSO (Windows Authentication ) work between the two forests ? When I am on a server that is not in the domain .. I am challenged .. and the web console works if I use a credential that is in the same domain as the web console ... If I use a credential that is in a different forest then I fail even though a trust exists ..

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Search Blogs