locked
Internal Server Error 500 - SCOM 2016 Web Console RRS feed

  • Question

  • Hi,

    I deployed SCOM 2016 Web Console on the a server.

    It works on the Web Console server self using HTTP connection

    http://<WEB CONSOLE SERVER>/OperationsManager

    But, if I browse Web Console from the internal SCOM MAnagement Server, or from any client, then I get Internal Server Error 500.

    I can access Web Server without any problem fromany client (http://<WEB CONSOLE SERVER>).

    Any idea?

    Best Regards

    Birdal


    • Edited by _Birdal Thursday, May 4, 2017 10:24 AM
    Thursday, May 4, 2017 10:21 AM

Answers

  • Hi Stoyan,

    I found the problem source why "http://<WebConsole Server>/OperationsManager" did not work (Internal Server Error 500).

    The problem was the missing SPN settings of the "machine record" of NLB node for SDK/Data Access account.

    Let me explain:

    - We deployed for Management Server Microsoft NLB in multitask mode (for 4 Management Server: MS1, MS2, MS3,MS4).

    - The network team assigned for the NLB node "a new machine name" of the one of the Management Server. It means, they assigned first the second IP for the machine MS1 which is used as the IP of NLB node, and then created for this second IP a new "machine name"/FQDN. For example, as follow:

    ms1.mydomain.com      with the IP 192.168.1.1 (that is the machine account for MS1)

    ms1-1.mydomain.com   with the IP 192.168.1.2 (that is the NLB node)

    - Additionally, the network team has created an alias named "om.mydomain.com" for ms1-1.mydomain.com". All nslookup results for both (for "ms1-1" and for "om") were OK.

    - I deployed SCOM WebConsole on the machine named "WS". I created SPNs related to SDK/Data Access account for all Management Servers and also for the NLB node "om.mydomain.com".

    - Microsoft support has recommended to apply Yangs article that I have done. But this did not solve the problem:

    http://blog.tyang.org/2014/02/27/configure-opsmgr-2012-web-console-single-sign/

    After that, I thougt "perhaps, I should also register SPN for ms1-1.mydomain.com related to SDK account". I registered SPNs and inserted also "ms1-1.mydomain.com" for delegation as Yangs described in his article.

    It worked!!!

    Verification

    I wondered why the SPNs only for "om.mydomain.com" are not effectual. I checked registry records on the WebConsole and found out that the "Default Server" record under

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center Operations Manager\12\Setup\WebConsole]

    as follow

    "DEFAULT_SERVER" >  „ms1-1. mydomain.com“

    I changed it again to "om.mydomain.com".

    After that, I removed all SPNs for "ms1-1.mydomain.com" and deleted also delegation for it.

    I rebooted all Management Server and WebConsole server, and tested again the WebConsole access.

    Result: NO, it does not work!!!

    Again I registered all SPNs for ms1-1.mydomain.com + reboot + tests.

    Result: Yes, WebConsole access works again!

    ---------------

    I think,  installation process of the WebConsole has registered "ms1-1.mydomain.com" in "anywhere". Because of that we must register also now SPNs for this FQDN!!!

    That is all....

    What is your comment?

    Best Regards

    Birdal

    • Marked as answer by _Birdal Thursday, June 8, 2017 10:52 AM
    Thursday, June 8, 2017 10:51 AM
    • Marked as answer by _Birdal Friday, January 19, 2018 7:22 AM
    • Edited by _Birdal Friday, January 19, 2018 1:10 PM
    Friday, January 19, 2018 7:21 AM

All replies

  • Hi,

    Please refer to:

    Troubleshooting: SCOM Web Console 500 – Internal Server Error

    http://www.opsconfig.com/troubleshooting-scom-web-console-500-internal-server-error/

    SCOM 2012 Web Console – 500 Internal Server Error

    http://www.culham.net/scom/scom-2012-web-console-500-internal-server-error/


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, May 4, 2017 10:29 AM
  • Hi,

    no, the changing ApplicationPool settings did not solve the problem.

    Has somebody any other idea?

    Best regards

    Birdal

    Thursday, May 4, 2017 11:38 AM
  • Hi,

    any other idea for this issue???

    Best Regards

    Birdal 

    Friday, May 5, 2017 8:08 AM
  • Hi,

    Microsoft writes in the following article the stepsfor the installing Web Console.

    https://technet.microsoft.com/en-us/library/hh298606(v=sc.12).aspx

    There is a section named "To configure permissions inheritance for the web console" about the permissions of the folder TempImages.

    First: i cannot find any Permissions > Change Permission (Step 3)

    Second: is this permission changes are necessary also for SCOM 2016 Web Console?

    Best Regards

    Birdal


    • Edited by _Birdal Friday, May 5, 2017 9:57 AM
    Friday, May 5, 2017 9:57 AM
  • Hi Birdal,

    it seems that you have followed the guide for the SCOM 2012 web console? Am i right?

    Could you please take a look here and verify you have completed the steps properly. You can even re-install the web console by follwoing the proper (for SCOM 2016) guide:

    How to install the Operations Manager Web console

    Please note two things, from the article 

    "A Network Load Balancer is not supported for the Operations Manager web console server."

    and

    "You must install IIS before installing .NET Framework 4. If you installed IIS after installing .NET Framework 4, you must register ASP.NET 4.0 with IIS. Open a Command prompt window by using the Run As Administrator option and then run the following command:

    %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -r"

    and

    "Installing the web console on a computer that has SharePoint installed is not supported."

    and also

    "If you install the management server on a server using a domain account for System Center Configuration service and System Center Data Access service, and then install the web console on a different server and select Mixed Authentication, you may need to register Service Principle Names and configure constraint delegations, as described in Running the Web Console Server on a standalone server using Windows Authentication."

    Please check all teh details from the article and post back.

    Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)

    Monday, May 8, 2017 2:10 PM
  • Hi Stoyan,

    no, that is not correct. I did not follow SCOM 2012 Web Console article. Only I discovered this article from Microsoft as I tried to solve my problem.

    I followed exactly the given article for SCOM 2016.

    I run all steps correctly in considering exceptions, etc.

    Best Regards

    Birdal

    Monday, May 8, 2017 2:17 PM
  • Hi Birdal,

    This is fine then. Let me check a few more things and I will reply back tomorrow.

    Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)

    Monday, May 8, 2017 2:22 PM
  • Thank you, Stoyan,

    Best regards

    Birdal

    Monday, May 8, 2017 2:55 PM
  • Hi Birdal,

    I see you already checked:

    Fresh install SCOM 2016 Web Console - Error 500

    and tried the actions there, but without success. To be honest, I assume the issue is related to authentication, but cannot think of an way to verify this. Can you please post the Authentication settings here, so that I can take a look at them? Thnaks.

    Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)

    Tuesday, May 9, 2017 8:31 AM
  • Hi Stoyan,

    I did not change any Authentication method on IIS. Here are the Authentication methods related to DefaultWebSite > OperationsManager virtual directory:

    AUTHENTICATION

    AnonymousAuthentication

    BasicAuthentication

    ClientCertificateMappingAuthentication

    DigestAuthentication

    iisClientCertificateMappingAuthentication

    WindowsAuthentication

    Additionally I list the ApplicationPools:

    Best Regards

    Birdal



    • Edited by _Birdal Wednesday, May 10, 2017 8:18 AM
    Wednesday, May 10, 2017 8:01 AM
  • Hi Birdal,

    to be honest, I have no idea what could be the cause in this case?

    Do you have a Support contract? Is opening a case an option for you? If not, than I think it is worth the attempt to reinstall the web console. Maybe you have missed something.

    In aither case I am out of ideas on what could be the cause here. Sorry for not being able to help you this time.

    Regards,

    Stoyan


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)

    • Proposed as answer by Yan Li_ Tuesday, May 16, 2017 8:34 AM
    Wednesday, May 10, 2017 9:11 AM
  • Hi Stoyan,

    I found the problem source why "http://<WebConsole Server>/OperationsManager" did not work (Internal Server Error 500).

    The problem was the missing SPN settings of the "machine record" of NLB node for SDK/Data Access account.

    Let me explain:

    - We deployed for Management Server Microsoft NLB in multitask mode (for 4 Management Server: MS1, MS2, MS3,MS4).

    - The network team assigned for the NLB node "a new machine name" of the one of the Management Server. It means, they assigned first the second IP for the machine MS1 which is used as the IP of NLB node, and then created for this second IP a new "machine name"/FQDN. For example, as follow:

    ms1.mydomain.com      with the IP 192.168.1.1 (that is the machine account for MS1)

    ms1-1.mydomain.com   with the IP 192.168.1.2 (that is the NLB node)

    - Additionally, the network team has created an alias named "om.mydomain.com" for ms1-1.mydomain.com". All nslookup results for both (for "ms1-1" and for "om") were OK.

    - I deployed SCOM WebConsole on the machine named "WS". I created SPNs related to SDK/Data Access account for all Management Servers and also for the NLB node "om.mydomain.com".

    - Microsoft support has recommended to apply Yangs article that I have done. But this did not solve the problem:

    http://blog.tyang.org/2014/02/27/configure-opsmgr-2012-web-console-single-sign/

    After that, I thougt "perhaps, I should also register SPN for ms1-1.mydomain.com related to SDK account". I registered SPNs and inserted also "ms1-1.mydomain.com" for delegation as Yangs described in his article.

    It worked!!!

    Verification

    I wondered why the SPNs only for "om.mydomain.com" are not effectual. I checked registry records on the WebConsole and found out that the "Default Server" record under

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center Operations Manager\12\Setup\WebConsole]

    as follow

    "DEFAULT_SERVER" >  „ms1-1. mydomain.com“

    I changed it again to "om.mydomain.com".

    After that, I removed all SPNs for "ms1-1.mydomain.com" and deleted also delegation for it.

    I rebooted all Management Server and WebConsole server, and tested again the WebConsole access.

    Result: NO, it does not work!!!

    Again I registered all SPNs for ms1-1.mydomain.com + reboot + tests.

    Result: Yes, WebConsole access works again!

    ---------------

    I think,  installation process of the WebConsole has registered "ms1-1.mydomain.com" in "anywhere". Because of that we must register also now SPNs for this FQDN!!!

    That is all....

    What is your comment?

    Best Regards

    Birdal

    • Marked as answer by _Birdal Thursday, June 8, 2017 10:52 AM
    Thursday, June 8, 2017 10:51 AM
    • Marked as answer by _Birdal Friday, January 19, 2018 7:22 AM
    • Edited by _Birdal Friday, January 19, 2018 1:10 PM
    Friday, January 19, 2018 7:21 AM