When installing the Operations Manager Web Console role on a standalone server, apart from a management server, you must enable constrained delegation. This is due to the double hop authentication from the Web Console role server, to the management server through to the SQL server.
There is no better way to configure constrained delegation than to use the DelegConfig utility written by Brian Murphy. Once you configure DelegConfig, it will present a wizard that will give you all the SPN’s and active directory changes required to get the SCOM Web Console fully operational.
First we need to download the DelegConfig utility.
Unzip the file and copy the Kerberos directory under your default website root on your Web Console role server. Example – C:\Inetpub\wwwroot\Kerberos
Open IIS Manager, select the Kerberos folder, right-click and select Convert to Application.
From your desktop or another server, Open Internet Explorer and browse to the Kerberos web application and select the Wizard link. Example – http://omweb1.contoso.com/kerberos
Start the Kerberos and Delegation Configuration Wizard
Do not select Yes to configure the current environment.
Select SCOM for the Service Type of Front-End.
Type in the host name used to connect to your Web Console. This example is showing dc1, but never install the Web Console on a domain controller in production.
Cool thing about this utility is it will also allow you to configure a load balanced Web Console installation.
Select Next to continue…
You don’t need to specify a port so select Next…
For the Service Account Name, select APPLICATION POOL IDENTITY
Select Yes for Trust for Delegation.
Select Trust this account for delegation to any service (Kerberos only)
Select SCOM as the Service Type of Back-end (2nd tier)
Type in the Host Name of the Operations Manager management server you have configured as the connection from the Web Console.
If you have loaded balanced your management servers for Web Console and Console connections, you can configure that to.
Click Next to continue, you do not need to configure Kernel Mode.
Click Next for the Port Number.
Select Configured and enter the service account used for the Configuration and Data Access services.
Time to configure the second hop, select Yes for Trust for Delegation.
Select Trust this account for delegation to any service (Kerberos only).
Select SQL for the Service Type of Back-end (3rd tier)
Select the Host Name of your OperationsManager SQL Server.
Select Not Applicable for Load Balanced.
You can skip Kernel Mode configuration again.
Select the SQL Port Number or Instance Name. Default is 1433.
Enter the Service Account used for SQL Server.
Select No, then Finished to complete the wizard.
Once the wizard has completed, you will have a full report of any missing configurations needed. The first thing missing is an SPN for the SCOM service account.
The report also shows changes you need to make in Active Directory for the Service Account.
If any SPN’s are missing for SQL, the report will help you with that too!