none
APM Authentication Error to AppAdvisor and AppDiagnostic

    Question

  • Running into a small issue with my OpsMgr 2012 LAB (rtm) when accessing APM Advisor and Diagnostic web consoles.

    Environment
    DB02 -  Windows 2008 R2 SP1
     SQL 2008 R2 v10.50.2796
     SQL Service Acct - OMSQL
     SQL SysAdmin roles - OMSQL; OMADMIN
     Local Admins - OMSQL; OMADMIN; OMSERVICE
     OperationsManager and OperationsManagerDW databases reside on this server.

    OM01 -  Windows 2008 R2 SP1
     Operations Manager 2012 RTM - Management Server and Operations Console roles.
     OpsMgr VSS Writer Service Acct - OMSERVICE
     System Center Data access Service Acct - OMSERVICE
     System Center Management Configuration Acct - OMSERVICE
     (Rest are Network Service or Local Service as defaulted to)

     
    OM02 -  Windows 2008 R2 SP1
     SQL 2008 R2 v10.50.2796  - Reporting Services
     Operations Manager 2012 RTM - Web Console and Reporting Server roles.
     Web Console is configured for Mixed Authentication
     OMADMIN account is part of the Operations Manager Administrator role (and Operations Manager Report Operator Role).

    If I try to access http://om02/AppAdvisor from any machine -other- than OM02, I get an error: "Authentication Error. User account: DOMAIN\OMAdmin. This user account does not have sufficient rights to use Application Advisor. Ask your Administrator to add this user account to the Operations Manager Report Operators role, and then try again."

    However, if I access http://om02/AppAdvisor -FROM- OM02, I am granted access (using same OMAdmin account as above).

    Now the weird part. After I access it once locally from OM02, I can access it remotely from another machine for a period of time. But if I come back a couple hours later and try... I get denied again.

    Same thing happens for AppDiagnostic console as well.

    Any help/clues?


    gaurhoth

    Friday, April 20, 2012 6:38 PM

Answers

  • Hello Gaurhoth,

    You may experience different issues here (SDK conneciton cahing + Kerberos double hop + Intranet/Internet Zone access) but I hope that Forms authentication will help to solve these issues.

    To set up Forms Auth for AppAdvisor and AppDiagnostics applications in IIS (on application level - not site level):

    - Forms: Enabled;
    - Anonymous: Enabled;
    - Basic/Windows: Disabled;
    - Impersonation: Disabled for AppAdvisor, not sure for AppDiagnostics - could be either Enabled/Disabled, give a try to both.

    In that case you'll be prompted for credentials using custom dialog and user token will be passed correctly avoiding popular auth. issues.


    Dmitry Matveev

    • Marked as answer by Gaurhoth Wednesday, April 25, 2012 3:06 PM
    Friday, April 20, 2012 7:19 PM
    Moderator

All replies

  • Hello Gaurhoth,

    You may experience different issues here (SDK conneciton cahing + Kerberos double hop + Intranet/Internet Zone access) but I hope that Forms authentication will help to solve these issues.

    To set up Forms Auth for AppAdvisor and AppDiagnostics applications in IIS (on application level - not site level):

    - Forms: Enabled;
    - Anonymous: Enabled;
    - Basic/Windows: Disabled;
    - Impersonation: Disabled for AppAdvisor, not sure for AppDiagnostics - could be either Enabled/Disabled, give a try to both.

    In that case you'll be prompted for credentials using custom dialog and user token will be passed correctly avoiding popular auth. issues.


    Dmitry Matveev

    • Marked as answer by Gaurhoth Wednesday, April 25, 2012 3:06 PM
    Friday, April 20, 2012 7:19 PM
    Moderator
  • The suggestion for using Forms based auth did solve my immediate problem.

    Thanks.


    gaurhoth

    Wednesday, April 25, 2012 3:06 PM