App Controller Single Sign On instructions unclear RRS feed

  • Question

  • In setting up App Controller, the following page describes how to enable Single Sign On: http://technet.microsoft.com/en-us/library/gg696046

    In the section on constrained delegation, there is a potential mistake or at least something that is unclear. Here is how it reads now:

    o turn on constrained delegation

    1. Log on using an account that has OU Administrator privileges in Active Directory Domain Services. Ensure that this account is also granted the SeEnableDelegationPrivilege user right (for example, a domain administrator could run the command ntrights -u domain\user +r SeEnableDelegationPrivilege on a domain controller, where domain/user represent the domain and account name for the account).
    2. In Active Directory Users and Computers, expand the App Controller Machine node.
    3. Click the Delegation tab.
    4. Select the Trust this computer for delegation to specified services only option.
    1. Select the Use any authentication protocol option.
    2. Click Add and then do one of the following:
      1. If the VMM management server is running under the Local System account, enter the name of the VMM management server and select HOST, and then click OK.
      1. If the VMM management server is running under a domain account, enter the name of domain account and select SCVMM, and then click OK.
    1. Select the Common Internet File System (CIFS) service, and then click OK.
    1. Restart the App Controller management server.


    The issue is that step 7 doesn't make sense, because in step 6 you select the service type (either HOST in the case of (a) or SCVMM in the case of (b)). When you finish that step, you are no longer in the dialog in which to select a service type.


    So the question: are we supposed to configure 2 service types, one in step 6, then CIFS in step 7? Or is step 7 unnecessary? I have configured SSO using only the SCVMM service type per step 6(b), and it seems to be working fine. Should I also add cifs?




    • Edited by Noah.Stahl Monday, August 20, 2012 4:44 PM formatting
    Monday, August 20, 2012 4:43 PM

All replies

  • Hi Noah,

    Thanks for letting us know about the lack of clarity in the documentation for configuring single sign on.

    Yes, you should configure 2 service types - first the SCVMM service type and then CIFS. Adding the SCVMM service type is the most important one as it allows App Controller to pass your credentials through to VMM, and this accounts for the majority of actions.

    CIFS is needed for file operations on:

    • VMM Library Servers (including the VMM server itself for the default library)
    • Network file shares

    You will need to add entries for all servers that meet the above so that you are able to copy files from network file shares to VMM library servers.

    Step 7 should probably read more like:

    7. Click Add and select the Common Internet File System (CIFS) service and enter the name of the VMM management server and then click OK

    Repeat Step 7 for each VMM Library Server and for each network file share added to App Controller.

    I hope this makes things a little clearer. I'll work with our documentation writer to get these instructions updated in the official documentation.

    Kind Regards,


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, August 24, 2012 5:35 AM
  • Thanks Richard for clarifying. I've added cifs delegation to both the VMM cluster and library cluster Failover cluster virtual network name accounts in addition to the SCVMM service type. One additional thing that would be nice in the documentation is to be clear about which account needs delegation when using failover clusters for VMM and library servers.


    Friday, August 24, 2012 3:22 PM