locked
After enabling SSO users have lost access to their CLoud and VMs RRS feed

  • Question

  • Dear All,

    After I did enabled SSO users have lost access to their CLoud and VMs.

    If I turn it off VMs and cloud are back.

    Any idea about this issue, for background info , I have install on SCVMM and APP all patches ( Roll up 2 include)

    Thansk in advance

    Monday, November 19, 2012 2:34 PM

All replies

  • Hi elsaxo,

    Is there anything special about the way your domain is configured?

    Are the credentials that users log into App Controller exactly the same as they use to log into their computer?

    e.g. contoso\user1

    My two initial thoughts are:

    1. That different accounts are being used to log into the PC and App Controller.
    2. Constrained delegation is not correctly configured

    You can test the first theory using the VMM console installed on a computer that a user is using.

    1. Log in to the computer as a user who is affected by the issue you describe.
    2. Open the VMM console and select the radio button "Use current Microsoft Windows session identity" on the Connect to Server screen.

    When the console opens if the user doesn't see their clouds and VMs then it indicates that the user account used when logging into their PC is not the same as used for accessing clouds/virtual machines.

    Another test you can perform is:

    1. Enable SSO for App Controller
    2. Open a command prompt and run the following command
    3. runas /user:contoso\admin "C:\Program Files (x86)\Internet Explorer\iexplore.exe"  
      Specify the username for the user are testing with - it should match what they enter to log into App Controller.
      Update the path to Internet Explorer if it is different on your computer
    4. Navigate to the App Controller website

    If you can see the clouds and VMs for the user then it indicates that the user account used when logging into their PC is not the same as used for accessing clouds virtual machines.

    If you do not see the clouds and VMs for the user, it is likely that single sign on is not correctly configured. In particular verify you've followed the steps for enabling constrained delegation

    Kind Regards,

    Richard


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, November 27, 2012 12:06 AM
  • Hi Richard,

    We are also having the same issue

    We have updated our SCVMM (which is clustered) to UR2 & also the console update

    We have updated SCVMM console on Appcontroller management server to UR2 and also updated our Appcontroller management server to UR2

    We have configured the constrained delegation as per the following article http://technet.microsoft.com/en-us/library/gg696046#sectionSection1

    We found another article as the technet article has some confusion http://social.technet.microsoft.com/Forums/en-US/appcontroller/thread/fdfc81ff-a9b7-4b2d-bd0d-e0284e689406/

    Still the same problem, if we disable windows authentication and enable basic, users are able to see cloud and vms. Not sure whereelese to look for.

    Please help.

    Cheers !

    Lewis


    Lewis

    Tuesday, January 8, 2013 8:19 AM
  • Hi Lewis,

    For constrained delegation, the most common issue I'm seeing is that delegation to the SCVMM SPN is not being set.

    On the Delegation tab of the Properties for the App Controller server in Active Directory Users and Computers you should have two entries for delegation:

    Service Type     User or Computer
    SCVMM vmmserver name
    cifs vmmserver name

    Regards,

    Richard


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, January 11, 2013 1:49 AM
  • Hi Richard,

    That is what i have

    Service Type     User or Computer
    SCVMM vmmserver Cluster name
    cifs vmmserver Cluster name

    We even tried adding physical SCVMM nodes instead of cluster name but still nogo.

    Anywhere else we should look

    Cheers!


    Lewis

    Just an update

    We tested this in our Lab. If SCVMM and Appcontroller are on the same server, Single sign on works as expected.

    Single Sign on does not work when SCVMM and Appcontroller are on different servers.

    • Edited by Lewis vinod Sunday, January 13, 2013 11:20 AM
    Saturday, January 12, 2013 1:14 PM
  • Hi Lewis,

    You can try running the VMM Configuration Analyzer - this should confirm whether the SPN is setup correctly. If the SPN is not correct then delegation will not occur correctly.

    When running VMM and App Controller on the same server constrained delegation is not used for the App Controller to VMM communication -- the user's authentication token is not crossing a machine boundary. 

    Kind Regards,

    Richard 


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, January 14, 2013 7:30 PM
  • Thank you for your reply Richard,

    When I try to check for the spn's this is what I get, please confirm whether there is anything missing. SCAP is the name of the Appcontroller management server.

    C:\Windows\system32>setspn -l scap
    Registered ServicePrincipalNames for CN=SCAP,CN=Computers,DC=contoso,DC=com:
            WSMAN/SCAP
            WSMAN/SCAP.contoso.com
            TERMSRV/SCAP
            TERMSRV/SCAP.contoso.com
            RestrictedKrbHost/SCAP
            HOST/SCAP
            RestrictedKrbHost/SCAP.contoso.com
            HOST/SCAP.contoso.com

    As advised I even ran the VMM configuration Analyzer there is no error reported on SPN. Following is the snippet...

    No need to scan for VMM SPNs on HAVMM scvmm
    Category: Configuration
    Source: scvmm

    Microsoft Baseline configuration Analyzer has determined that you are in compliance with this best practice


    Lewis

    Tuesday, January 15, 2013 6:09 AM
  • Hi Lewis,

    I'm not quite sure what is wrong.

    You may want to contact support and work directly with a support engineer to troubleshoot the constrained delegation configuration.

    Kind Regards,

    Richard


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, January 15, 2013 5:21 PM
  • Hi Elsaxo

    Is your problem resolved. please update


    Lewis

    Tuesday, January 15, 2013 5:34 PM
  • Hi Richard,

    We have 1 Private cloud project running at customer site and 1 Private cloud lab running on our corporate premises. Both have the same issue.

    The only problem i can see right now is "ME" as i have configured both of them. Hahaha

    Thank you for the follow up. I will try to contact Support.


    Lewis

    Tuesday, January 15, 2013 5:43 PM
  • There is always a chance its a bug in either the product or documentation :-).

    I am definitely curious what the issue is - do let us know if you're able to resolve this (either with or without support).

    I know customers that have single sign on working with clustered VMM servers, but I can't think of what would be different between your environments and theirs.

    Regards,

    Richard


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, January 15, 2013 7:09 PM