HiI have an RMS & a MS both with the web console installed. The web console works fine on the RMS, but asks for authentication on the MS which always fails. I'm fairly sure that when I deployed these servers I tested the second web console & it worked.IIS settings seem to be same on both boxes with regard to permissions & default IIS7 page loads Ok on the MS.Any ideas what might be causing this? - I was hoping to balance my web console users between both servers.Thanks

Hi I assume you have chosen windows authentication when installing the web server?? See this: http://blogs.technet.com/momteam/attachment/2800920.ashx http://www.systemcentercentral.com/portals/0/VenexusIndexItem/Index6181/SCOM_2007_Web_Scale_Out_1_0.pdf From here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.opsmgr.ui&tid=3fc923d1-de6f-4b1b-a7fa-fcb657e9a66d&cat=4AE2B8F4-410B-C1C7-3FBB-D261FD9C3408&lang=en&cr=US&sloc=&p=1 Cheers Graham View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Thanks Graham - I don't want to scale out to a fully load balanced config yet, but this is useful info for when I do.The other option of using constrained delegation I've already tried, but it didn't seem to make a difference (SDK account doesn't have the Sensitive box ticked & MS is trusted for delegation to the SDK account on the RMS.) As far as the SPN's go, just the RMS is listed when querying the SDK account - this was automatically registered at deployment time after I'd changed the permissions on the account to allow self registration.I wonder if I have to manually register the MS on the SDK account as well? There seem to be differing views on this in the SCOM community.

Hi I'll defer to someone else on the actual SPNs that should be registered - I don't have a system to hand to check and I don't have it documented. For this, the usual scenario is either to use forms authentication on the MS or constrained delegation as per Pete Zergers comments on the thread that I posted above. You might want to try forms authentication just to make sure the actual web console is working. Cheers GrahamView OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Hi all,KCD is usually the way forward for internal use, FBA is a bit of a pain as you have to type credentials.As described in the doc, the MS computer account (in this case) should be configured to allow delegation to:MSOMSdkSvc/rms-serverMSOMSdkSvc/rms-server.domain.comWhenever I set SPNs on a computer account or allow KCD, I alwys reboot the computer afterwards. I'm not sure if it's necessary or not.As for which SPNs to register to the SDK account... In day to day operations the only SDK SPNs required are for the RMS server. In the event of an RMS failure and MS promotion (or the RMS changing name for any reason), additional SPNs wil be required.If you allow the SDK account to register its own SPNs, then management server promotion will not cause Kerberos errors because, as the newly promoted RMS starts the SDK service, it will register the required SPNs on its own. If you don't allow the SDK account to register its own SPNs, then somebody will have to do this manually. KCD may also be a problem here, as the computers won't be permitted to delegate authentication to the new SPNs.You also mentioned that you would load balance the web console servers. If you use a virtual server name to load balance, then you will run into Kerberos issues there too. The reason being that you have to register an HTTP/virtualservername SPN. This is usually done on the computer account, but the golden rule of SPNs is that there must not be duplicates. So you can't register the SPN to both computer accounts. You get around this by registering the SPN to a user account and using a common application pool identity for the web application.See the "Special Case of running IIS7 in a web farm" (at the end of the article)http://blogs.msdn.com/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspxMatt Matt White( http://systemcenterblog.hardac.co.uk/ )

Thanks for the detailed reply Matt - I'm now certain my SPN's and KCD is configured correctly & have some great info on how to scale this out in due course.I'm going to give forms based authentication a try to see if it's a fault with the web console itself, but first I've a more pressing problem with this management server not working as detailed in this thread...http://social.technet.microsoft.com/Forums/en-IE/operationsmanagergeneral/thread/cdd0c1d2-1218-4c5c-898e-79918af41482I'll report back with the results of the test when the MS is up and running again.

FIXED!!! Allowed the SDK account to read and write SPN's with ADSIEdit and made sure the database server had the setting - "Trust this computer for delegation to any service (Kerberos)". Happy days! :-) sys_admin