Running the Web Console Server on a standalone server using Windows Authentication
Scenario A: Install Database and the Root Management Server on a standalone server with the SDK and Config services running under domain accounts. User installs the Web Console Server on a standalone machine and wants to use Windows Authentication.
Scenario A: Install Database and the Root Management Server on a standalone server with the SDK and Config services running under Local System. User installs the Web Console Server on a standalone machine and wants to use Windows Authentication. For this scenario users only need to follow step number 7 in the register SPN section below.
Register SPNs:
1) Register SPNs: Download the SETSPN tool which is available on the Windows Server 2003 Service Pack 1 Support Tools. You can download the tool from this link.
2) Log onto to a server that is part of the domain and copy down the Support Tools folder locally on the computer as you will not be able to run the installation package remotely.
3) Install the support tool on the computer.
4) Open a command prompt dialogue by going to Start à Run and then tying CMD.
5) Once the command prompt dialogue opens navigate to the support tools folder which is by default installed at %Program File%\Support Tools\.
6) Type setspn.exe /A MSOMSdkSvc/MOMDC1 PARIS\MOMSDKSetSpn.exe /A {MSOMSdkSvc/FQDN machine name of the Root Management Server} {Domain\Account of the SDK Service} where Account of the SDK Service is the name of the account under which the SDK Service is running.
7) To verify the service got registered correctly type SetSpn.exe /L {Account of the SDK Service}
Check to see if the SPN for the SDK service account that are required for delegation to properly function is present:
- You should see MSOMSdkSvc/Machine name of the Root Management Server, where MSOMSdkSvc is the appropriate service class. You change accounts if you use the command setspn /D should be used to remove the SPNs from the old account.
Raise Domain Level:
1) Raise Domain Level: Configuring delegation to a particular computer is a feature in only Microsoft Windows Server 2003 domain controllers.
CAUTION: Do not raise the domain functional level if you have, or will have, any Windows NT 4.0 or earlier domain controllers. As soon as the domain functional level is raised to Windows 2000 native or Windows Server 2003, it cannot be changed back to a Windows 2000 mixed domain.
For more information on raising domain levels please refer to this link: http://support.microsoft.com/kb/322692
2) Verify Domain Functional Level: If you are configuring constrained delegation, you need to verify that the domain controller is operating at Windows Server 2003 functional level. (Note: This step is required only for constrained delegation.)
3) Log on the PDC (you can connect to the MMC snap-in remotely as well with domain admin creds) of the domain with domain administrator credentials.
4) Click Start, point to Administrative Tools, and then click Active Directory Domains and Trust.
5)
In the console tree, right-click the domain for which you want to verify the domain level select Properties in the context menu.
6) In the console tree, right-click the domain for which you want to raise functionality, and then click Raise Domain Functional Level.
· Click Windows 2000 native, and then click Raise to raise the domain functional level to Windows 2000 native.
OR
· Click Windows Server 2003, and then click Raise to raise the domain functional level to Windows Server 2003.
Note You can also raise the domain functional level by right-clicking a domain that appears in the Active Directory Users and Computers MMC snap-in, and then clicking Raise Domain Functional Level. To raise the domain functional level, you must be a member of the Domain Administrators group.
7) The current domain functional level appears under Current domain functional level in the Raise Domain Functional Level dialog box. The level increase is performed on the PDC FSMO and requires the domain administrator.
Verify User Account Options:
1) Verify User Account Options: The account used to be delegated needs to appropriate rights.
2) To verify that the Account is sensitive and cannot be delegated option is not selected. Open Active Directory Users and Computers.
3) Select the User folder
4) Right-click the UserAccount, and then click Properties. The UserAccount is the account used to connect to the web console.
5) Click the Account tab.
6)
In the Account options box, confirm that Account is sensitive and cannot be delegated is not selected.
Configure Constraint Delegations:
1) Configure Constraint Delegation: To allow a computer to be trusted for delegation
Note: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
2) Open Active Directory Users and Computers.
3) In the console tree, click Computers.
4) In the details pane, right-click the computer where the web console is installed on, and select Properties from the context menu.
5) Select the Delegation tab
6) If in a Windows Server 2003 domain, on the Delegation tab, click Trust this computer for delegation to specified services only. And choose the Use Kerberos only radio button.
7) Click the Add button
8) In the Add Services dialogue click the Users and Computers button
9) In the Select Users or Computers dialogue specify the domain account that the SDK service is running under and click OK.
10) In the Add Services dialogue select the service type MSOMSdkSvc and click OK.
11)
Click OK to close the Properties Dialogue.