Enable Windows Authentication for Live Maps on a non-RMS Server

I’ve wanted to move my Live Maps installation off of my SCOM 2007 R2 RMS for some time now. But until recently I was under the impression that it was not possible to do this with Windows based authentication enabled in Live Maps. I attended MMS 2011 and stopped by the Savision booth in the expo to preview Savision’s new Vital Signs product (A must see!) and got to talking about this issue with Dennis Rietvink of Savision. He said it was very possible and to contact their support. So when I got back from MMS I did and Michiel Rens at Savision support referred me to Kevin Holman’s blog for a possible solution. Kevin goes into quite a bit of detail on the work around. He is providing a solution if you want to run the SCOM console on another server with Windows based authentication, although most of the solution enables the same for Live Maps. Please read Kevin Holman’s blog in detail before continuing. The goal of this post is to communicate what worked for me, in my environment. My environment consists of a Windows 2008 R2 RMS, a Windows 2008 R2 Live Maps server, and Windows 2008 R2 function level AD. All environments vary on operating systems, AD function levels, and security policies. So be sure you know exactly what you are doing before implementing this solution!

Sponsors, article continues below...

  1. First you want to ensure that the intended account(s) can successfully access the intended Live Maps dashboards.
  2. Ensure that your RMS has SPN’s (Service Principal Names) registered for your SDK service account. In the following example RMSSERVER is my RMS SERVER, DOMAIN and domain.local are my domain, and SDKaccount01 is my SCOM SDK service account.
    • Check if your SPN’s are registered by running the following:
      setspn -L RMSSERVER\sdkaccount01
      It should tell you that the SPN is regered under MSOMSdkSvc/RMSSERVER and MSOMSdkSvc/RMSSERVER.domain.local. If it’s registered for your RMS server’s hostname and FQDN proceed to step 3.
    • If it is not registered for the RMS server’s hostname and FQDN, register it!
      setspn -a MSOMSdkSvc/RMSSERVER DOMAIN\SDKaccount01
      setspn -a MSOMSdkSvc/RMSSERVER.domain.local DOMAIN\SDKaccount01
  3. Verify your domain function level in AD Domains and Trusts (2003 or 2008…same solution works for 2008 R2).
  4. Verify “Account is sensitive and cannot be delegated” is NOT checked on the SCOM SDK service account in AD. You can see this option under the Account tab.
    • Configure constrained delegation.
    • Locate the Live Maps’ server computer object in AD, go to its properties and select the Delegation tab.
    • For Windows 2003 (also look at Kevin’s reference to hotfix issues):
      Select “Trust this computer for delegation to specified services only” and “Use Kerberos only”.
      Click the Add button and add the SCOM SDK service (in my case sdkaccount01). The “Add Services” box should show MSOMSdkSvc, click OK on all remaining windows.
    • For Windows 2008 and 2008 R2:
      Select “Trust this computer for delegation to any service (Kerberos only).
      Click OK on all remaining windows.
  5. If you haven’t already, enable Windows authentication for Live Maps on your Live Maps server.
    • Open Internet Information Services (IIS) Manager and go to the Live Maps site.
    • Open Authentication.
    • Enable “Windows Authentication” and disable “Forms Authentication”.

Hopefully this works for you as it did for me. Good luck!

This entry was posted in Microsoft, SCOM.

One Response to Enable Windows Authentication for Live Maps on a non-RMS Server

  1. Excellent article, Stephen!
    Thanks for documenting and sharing your experience in getting the Live Maps Web Console using Windows Authentication on a non-RMS.

Leave a Reply