SCOM WebConsole settings for authentication

Auto Pilot for SCOM web console
Airplane movie – AutoPilot with SCOM Web Console settings

 

Makes me think of the scene from Airplane with the AutoPilot blow-up, similarly parallel to engineer experiences talking about the SCOM Web Console configuration.  I’m ready to dispel some myths to document securing the ‘SCOM Web Console for authentication’

 

 

Quick outline

Knowledge Articles to aid with ‘SCOM WebConsole settings for authentication’

Configuring SSL certs and Smart Cards (this post)

Configuring Kerberos and AD delegation (next post)

Verifying WebConsole functionality blog posts – ReDirect, Authentication, SSL and Bindings

Mitigating SCOM vulnerabilities – Java, HSTS, ODBC

 

 

Knowledge Articles

How to Install Web Console from learn.microsoft.com for SCOM 2019, 2022

Holman’s SCOM quick start install guides for SCOM 2019, 2022

IIS Manager Authentication from learn.microsoft.com

 

 

Configuring SSL Certs and Smart Cards

Setup ‘SCOM WebConsole settings for secure authentication’, access, and rendering methods.  I’ve setup the web console role with defaults, then come back later.  Holman’s quick start lets you complete the role with default HTTP setup.  After that, we add an SSL cert for HTTPS.  Thirdly, employ aliases, or F5 load balancers to simplify user experience accessing the console.  Fourth, setup SmartCards to help secure, also Kerberos authentication/delegation. 

 

 

Part 1 – Start with the SSL certificate for https

Setup the ‘SCOM WebConsole settings for authentication’, beginning with a SSL certificate request for the server(s) in question.  Add any SAN names/aliases you want (if not load balanced).

 

NOTE:

Use CA Auto-Enrollment templates to simplify SSL request whenever an internal or external SSL certificate is required for your organization.  Generally, external certificates require manual effort executing the certreq script.

 

Sample SSL certificate

SCOM Web Console SSL Cert details
SCOM Web Console SSL Cert details

 

Less typing means less typos

Below SSL certificate example with any SAN names/aliases (if not load balanced).  Simplify the SCOM web console link to https://SCOM/ versus https://SCOMSERVERName/OperationsManager

 

IIS manager server certificates with SAN DNSName aliases included.
IIS manager server certificates with SAN DNSName aliases included.

 

 

Part 2 – Add authentication Smart Card in IIS

Next! – I will set up SmartCard role in ‘SCOM WebConsole settings for authentication’.  Additionally, review the Learn.microsoft.com site for IIS here.

Compatibility

VersionNotes
IIS 10.0The <iisClientCertificateMappingAuthentication> element was not modified in IIS 10.0.
IIS 8.5The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.5.
IIS 8.0The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.0.
IIS 7.5The <iisClientCertificateMappingAuthentication> element was not modified in IIS 7.5.
IIS 7.0The <iisClientCertificateMappingAuthentication> element of the <authentication> element was introduced in IIS 7.0.
IIS 6.0The <iisClientCertificateMappingAuthentication> element replaces the IIS 6.0 IIsCertMapper metabase object.

 

 

Add the Client Certificate feature for the SCOM Web Console

Let’s add SmartCard authentication capability.

 

Open Server manager >

Open Server manager
Open Server manager

 

Click on Manage > Add roles/features (top right)

Scroll to the top right, and click on Manage, then 'Add Roles or features'
Scroll to the top right, and click on Manage, then ‘Add Roles or features’

 

Click Next twice to get to the Server Roles

 

Server Manager > Server Roles tab output

Server Manager > Server Roles
Server Manager > Server Roles

 

 

Expand Web Server drop down

SCOM Web Console Authentication installing Client Certificate Mapping role

Click the box to check ‘Client Certificate Mapping Authentication (Installed)’ and click Next twice (2) [ two times ]

Expand Server Manager > Web Server > Client Certificate Mapping Authentication

Expand Server Manager > Web Server > Client Certificate Mapping Authentication

Click Install (mine is greyed out as it’s enabled)

Server Manager Features Install
Server Manager Features Install

 

Allow install to complete, server will prompt if reboot required.

NOTE: Either way, reboot is required to apply new authentication method.

 

Validate IISManager after reboot

Click on Authentication to verify ‘Active Directory Client Certificate Authentication’ is present and enabled.

IIS Authentication with Client Certificate Authentication (after role installed)
IIS Authentication with Client Certificate Authentication (after role installed)

 

 

After reboot, verify ‘AD Client Certificate authentication’ method is enabled and visible.

 

From IISManager > Server > Authentication > Verify method is there and enabled

IIS Authentication with Client Certificate Authentication (after role installed)
IIS Authentication with Client Certificate Authentication (after role installed)

 

 

Verify Default Web Site Authentication setup

Verify Default Web site has Windows Authentication enabled.

 

Navigation steps:

IIS Manager > Expand Sites > Default Web Site > Authentication

Windows Authentication should be enabled, others disabled

Default Web Site Authentication showing Windows Authentication ONLY enabled
Default Web Site Authentication showing Windows Authentication ONLY enabled

Leave a Reply

Your email address will not be published. Required fields are marked *