Home

Forums
       Operations Manager
       MP Development
       Config Manager
       CP Development
       Data Protection Mgr
       Essentials (SCE)
       Hyper-V
       SCVMM
       Service Manager
       Cloud
       Cross-Platform
       Opalis
       Avicode

Articles
       Operations Manager
       MP Development
       Config Manager
       CP Development
       Data Protection Mgr
       Essentials (SCE)
       SCVMM
       Hyper-V
       Virtualization
       Service Manager
       Cross-Platform

Web/Podcasts
       Virtualization
       Essentials (SCE)
       SCVMM
       Hyper-V
       Data Protection Mgr
       Config Manager
       Operations Manager

Downloads
       Config Manager
       Cross-Platform
       Data Protection Mgr
       Essentials (SCE)
       Operations Manager
       SCVMM
       Scripts
          Samples (SCOM 2007)
       Service Manager
       SQL Queries

Pack Catalog
       MP Catalog
       CP Catalog
       Mgmt Pack Extensions Contest
       Opalis IP Catalog

WIKI

Blogs
       Community
       Community Feedback
       Events

User Groups
       Arizona Systems Management User Group
       Atlanta Systems Management User Group
       Microsoft Enterprise Management User Group (Denver
       System Center Professional's User Group of Jax (Fl
       New York System Center User Group
       Portland EPG System Center User Group
       Northwest System Center User Group (Seattle)
       System Center User Group (Netherlands)
       System Center User Group (Belgium)
       System Center User Group (Malaysia)
       System Center Virtual User Group
       Powershell Virtual User Group

RSS
       Support Forum
 
  
Blog
Part 1: Secure Publishing of the OpsMgr 2007 Web Console to the Internet
By Pete Zerger on 7/2/2009 5:18:05 PM • Rank (1442) • Views 2028
    Retweet
0

0

The web console has come a long way in the last release, so no doubt more administrators are using this tool. And the whole point is to bring some flexibility to our lives as OpsMgr administrators, so accessing the Web Console securely from anywhere is a fairly common need.

There are a couple of things to be aware of where the Web Console is concerned:

  • If your Web Console is not hosted on the Root Management Server, be aware of the Kerberos double hop issue. In short, this means that Windows will not forward impersonated credentials from the remote Web Console to the RMS. In short, impersonated credentials cannot be passed from the server hosting the Web Console to the Root Mgmt Server.
  • To see this in action, setup a remote Web Console and then access first remotely from your desktop, and then again locally from the console of the server hosting the Web Console. (More on the double-hop issue HERE).

Securing Credentials Traversing the Internet

Secondly, remember when accessing from the Internet, we don't have domain credentials that can be passed, so this will be a problem when exposing the Web Console to administrators on the Internet as well.

On the LAN, we'd use Kerberos delegation (or constrained delegation ) to work around this limitations, essentially configuring computers to be "trusted for delegation" in the Active Directory, allowing the forwarding of impersonated credentials. But in our case, we need to actually present a login UI to capture credentials from the user.

In the .NET and OpsMgr world, the means to this end is to configure the Web Console to use Forms-based authentication. Forms-based authentication is an ASP.NET authentication service that enables applications to provide their own logon UI and do their own credential verification. ASP.NET authenticates users, redirecting unauthenticated users to the logon page, and performing all the necessary cookie management. This sort of authentication is a popular technique used by many Web sites.

Like any .NET web application, this setting is actually controlled in the web.config file for the application. For the OpsMgr Web Console, you'll find this in the %programfiles%\System Center Operations Manager 2007\Web Console directory on the server hosting the Web Console.

You can easily uninstall and reinstall the Web Console, selecting Forms authentication on the reinstall, or you can simply edit your web.config file to enable Forms authentication. If Forms-based authentication is enabled, or if you wish to enable it, the <authentication> section in your web.config file should be configured to look like this

<authentication mode="Forms">
<forms requireSSL="true" />
</authentication>

You'll note here that requireSSL is set to true, which is the default when using Forms-based authentication with the Web Console. I would recommend against using Forms-based authentication without SSL, as it will result in Active Directory credentials traversing the Internet in clear text. So for the solution to be functional and secure, you'll need to secure the Web Console site in IIS with an SSL certificate from your certificate authority or purchase one from one of the many companies who issue SSL certificates (at a cost) on the Internet.

The result is a login UI rather than the Web Console being launched directly without a prompt for credentials (see image below). And when deployed with SSL, you can enjoy secure, anywhere-access to your Operations Manager 2007 deployment.

WebConsole

In a future post on this topic, we'll cover how to publish the Web Console through ISA 2004/2006.

Comments - Comment RSS


Who Viewed
Who Reviewed
Categories
Blog, Operations Manager
Related Pages
Shortened URL
http://tinyurl.com/yjwaddc

Quick Links
Top Contributors
Featured Members
Pete Zerger
Points: 65622
Level: System Center Expert
Tommy Gunn
Points: 42748
Level: System Center Expert
Simon Skinner
Points: 40804
Level: System Center Expert
Stefan Koell
Points: 28999
Level: System Center Expert
Andreas Zuckerhut
Points: 27734
Level: System Center Expert
  
  
 
    
Copyright 2009 - 2012 by System Center Central