Using DelegConfig to configure constrained delegation for SCOM Web Console

When installing the Operations Manager Web Console role on a standalone server, apart from a management server, you must enable constrained delegation. This is due to the double hop authentication from the Web Console role server, to the management server through to the SQL server.

There is no better way to configure constrained delegation than to use the DelegConfig utility written by Brian Murphy. Once you configure DelegConfig, it will present a wizard that will give you all the SPN’s and active directory changes required to get the SCOM Web Console fully operational.

First we need to download the DelegConfig utility.

Unzip the file and copy the Kerberos directory under your default website root on your Web Console role server. Example – C:\Inetpub\wwwroot\Kerberos

image

Open IIS Manager, select the Kerberos folder, right-click and select Convert to Application.

image

From your desktop or another server, Open Internet Explorer and browse to the Kerberos web application and select the Wizard link. Example – http://omweb1.contoso.com/kerberos

image

Start the Kerberos and Delegation Configuration Wizard

image

Do not select Yes to configure the current environment.

image

Select SCOM for the Service Type of Front-End.

image

Type in the host name used to connect to your Web Console. This example is showing dc1, but never install the Web Console on a domain controller in production.

image

Cool thing about this utility is it will also allow you to configure a load balanced Web Console installation.

image

Select Next to continue…

image

You don’t need to specify a port so select Next…

image

For the Service Account Name, select APPLICATION POOL IDENTITY

image

Select Yes for Trust for Delegation.

image

Select Trust this account for delegation to any service (Kerberos only)

image

Select SCOM as the Service Type of Back-end (2nd tier)

image

Type in the Host Name of the Operations Manager management server you have configured as the connection from the Web Console.

image

If you have loaded balanced your management servers for Web Console and Console connections, you can configure that to.

image

Click Next to continue, you do not need to configure Kernel Mode.

image

Click Next for the Port Number.

image

Select Configured and enter the service account used for the Configuration and Data Access services.

image

Time to configure the second hop, select Yes for Trust for Delegation.

image

Select Trust this account for delegation to any service (Kerberos only).

image

Select SQL for the Service Type of Back-end (3rd tier)

image

Select the Host Name of your OperationsManager SQL Server.

image

Select Not Applicable for Load Balanced.

image

You can skip Kernel Mode configuration again.

image

Select the SQL Port Number or Instance Name. Default is 1433.

image

Enter the Service Account used for SQL Server.

image

Select No, then Finished to complete the wizard.

image

Once the wizard has completed, you will have a full report of any missing configurations needed. The first thing missing is an SPN for the SCOM service account.

image

The report also shows changes you need to make in Active Directory for the Service Account.

image

If any SPN’s are missing for SQL, the report will help you with that too!

image

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.