Posts by Tao Yang:
I was trying to configure single sign-on for the OpsMgr 2012 Web Consoles so dashboard users don’t need to enter credentials on shared display screens. I spent almost a day trying to make it work until I gave up and called Microsoft Premier Support yesterday.
On all my management groups, web consoles are installed on a dedicated servers. All the web consoles are connecting to the management servers Load Balancing (NLB) address for Data Access Service rather than individual management servers.
Long story short, since I couldn’t manage to find a clear instruction / requirements for OpsMgr 2012 Web Console single sign-on, the steps listed below is what I had to take to make this work with the help from Microsoft CSS.
1. Data Access Service (SDK) SPN’s
Make sure the SPN’s for the management servers Data Access Service is correctly configured. SPN’s are also required for the NLB addresses:
2. Web Console config file Web.Config
In <OpsMgr 2012 R2 Install Dir>\WebConsole\WebHost\Web.config, the connection tag is configured as below:
<connection autoSignIn=”True” autoSignOutInterval=”0″>
<managementServer name=”<Mgmt Server or NLB Address>”/>
Note: I also configured autoSignOutInterval=”0” so the web console doesn’t time out.
further down in the web.config file, make sure authentication mode is set to “Windows”
<authentication mode=”Windows” />
Note: According to the note shown above, the Anonymous authentication should be disabled and Windows Authentication should be enabled for the OperationsManager vroot in IIS
3. Constraint Delegation on the Web Console computer account
While I was trying to make it work before calling Microsoft, I followed the guide from this blog article: Running the Web Console Server on a standalone server using Windows Authentication. Although it was written for OpsMgr 2007, constraint delegation is still required.
I added the MSOMSdkSvc service for all management servers to the list as instructed on the last page of this document:
Above screenshot was taken from the guide. However, it turned out it doesn’t seem like the guide is 100% correct for OpsMgr 2012 (I can’t confirm for 2007 as I don’t have a 2007 management group in my lab anymore).
Instead of choosing “Use Kerberos Only”, we should choose the other option “Use any authentication protocol”. This is where I got stuck as before I called Microsoft, I did change the NLB address to a management server in the web.config but it didn’t make a difference. Otherwise it would have worked then.
I also had to add the NLB address to the list because my web console is configured to use NLB:
This is all that’s required for Single Sign On. After I reboot the web console server, I managed to open the console without getting prompted for credentials.
Disclaimer: this article is purely based on my own experience. I managed to configure single sign-on on 4 OpsMgr 2012 R2 management groups at work and 1 at home. Please don’t hold me accountable for any issues you may have in your environment.
One thing I really don’t like about SCUP 2011 is, the settings are user specific, which means different users will have to manually configure SCUP settings on the same computer. By default, even the SCUP database is stored within the user’s profile. There are already many articles out there on how to change the SCUP […]
Couple of weeks ago, we had to completely rebuild a SQL server hosting OpsMgr 2012 R2 Data Warehouse DB (reinstall OS, SQL, etc). After I restored the OperationsManagerDW database from the backup, the following error was logged to the Application Event log by SQL every minute: Error 777971002, severity 14, state 10 was raised, but […]
Creating a data source to for the OpsMgr Operational DB is a very common practice. This is required for many 3rd party OpsMgr reports. Kevin Holman blogged the instruction here. In my case, I’m creating a data source called OperationalDataBaseMain for my favourite report MP SCC Health Check Management Pack. Other than the data source […]
This is the 2nd part of 2-part blog series. Part 1 can be found HERE. In Part 1, I went through the issues I had with deploying OpsMgr 2012 R2 agent via ConfigMgr 2007. In this article, I will go through the steps I took to deploy OpsMgr 2012 R2 agent using ConfigMgr 2012 Application […]
By reading the title of this article, you may think, this practice is so common, is it worth blogging? Before I started this task, I thought it should be a quick one that I can knock off in 30 minutes. I had to say, I was wrong, I ended up spent few days on it. […]
27/01/2014 Update: A colleague of mine advised me the rsreportserver.config file for the SSRS instance also needs to be updated according to this Technet forum thread. I have updated this article reflecting this additional step. I just came back to work this week after a 4-week holiday in China. Today I have upgraded work’s OpsMgr […]
To Check if WinRM has been enabled on a Remote machine: To Check the Default HTTP listener port on a remote machine: To Check the Default HTTPS listener port on a remote machine: