none
SCOM 2016 Web Console and Single-Sign-On Authentication issue RRS feed

  • Question

  • Hi,

    our company use Single-Sign-On-Authentication if the user use Internet browsers, and logged on with their own personal/user account. That is the policy.

    I deployed SCOM 2016 Web Console so that "Windows Authentication" is enabled on the subsite level "OperationsManager" and "MonitoringView".

    So, all is ok.

    BUT, SCOM operators in the company use another accounts to access to server infrastructure, and also to SCOM infrastructure, including SCOM Web Console. These IT operators are logged on the machine with their own personal/user account. It means SCOM operators have two different accounts.

    Now the problem begins...

    If SCOM operator tries to access using SCOM Web Console using Internet Explorer, he gets "access denied", doe not get any pop-up window for account / password.

    How can I deplooy on SCOM Web Console server that IE prompts for account/password so that IT operators can access Web Console?

    Best Regards

    Birdal

    Friday, February 23, 2018 11:54 AM

All replies

  • Hey Birdal,

    I found a blog that does the opposite - gets rid of the authentication prompt. Maybe you can reverse the solution to get the prompt back (move up the "negotiate" argument to the top).

    This may cause all the users to enter their credentials (other than just IT operators), but I'm not sure. Wouldn't hurt to try though, you can always set it back to how it was.

    This is just a speculation, so please make sure to proceed carefully:

    SCOM 2012 web console prompts for username and password

    Hope this helps

    Cheers


    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!)

    Friday, February 23, 2018 12:21 PM
  • Hi,

    we deployed "Negotiate: Kerberos" in the authentication providers. But I tested also "Negotiate" on the top.

    No, the same error: "403 Forbidden: Access is denied"

    Best Regards

    Birdal

    Friday, February 23, 2018 12:53 PM
  • Hmm...that's no good :(

    Just to confirm, did you do this on all the MS?

    Cheers


    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!)

    Friday, February 23, 2018 12:57 PM
  • Hi Sam,

    there is a misunderstanding. The problem does not exist on MS. There is also no problem if SCOM operator use the "normal" user account, because this account in the IE policy uses SSO process. The problem exists if SCOM operator wants to access to SCOM Web Console using "SCOM operator account". That is a different account. In this case IE does not promts any logon windows, IE forwarded the authentication request using the logged on user on the machine (in this case "normal" account of SCOM operator). We want that IE should promt always a logon windows to give different login credentials.

    Best Regards

    Birdal


    • Edited by _Birdal Monday, February 26, 2018 8:17 AM
    Monday, February 26, 2018 8:17 AM
  • Hello,

    How about editing the web.config file under path:

    C:\Program Files\Microsoft System Center 2016\Operations Manager\WebConsole\WebHost 


    Please check what is the result when you try to open the web console after modifying from 

    <connection autoSignIn="true" autoSignOutInterval="30">  

    <connection autoSignIn="false" autoSignOutInterval="30"> 

    Regards,

    Yan 


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 2, 2018 8:58 AM
    Moderator
  • Hi Birdal,

    We appear to have the same concern as you did in this post; were you able to find a solution?

    Thanks,

    Steve

    Monday, October 14, 2019 5:02 PM
  • Hi Sern,

    we have no more SCOM 2016, upgraded to SCOM 2019.

    In SCOM 2019, the users should give credentials always on Internet browser.

    There is also still a bug on Web Console so that the following message apperas first. Then the user must choose "Use Alternate Credentials"

    Web Console of SCOM was/is still with some bugs which Microsoft could not solve. It is better to say Microsoft cannot make any good Web development!

    Best regards

    Birdal

    Tuesday, October 15, 2019 7:24 AM