Auto Pilot for SCOM web console — Airplane movie – AutoPilot with SCOM Web Console settings

Makes me think of the scene from Airplane with the AutoPilot blow-up, similarly parallel to engineer experiences talking about the SCOM Web Console configuration. I’m ready to dispel some myths to document securing the ‘SCOM Web Console for authentication’

Quick outline

Knowledge Articles to aid with ‘SCOM WebConsole settings for authentication’

Configuring SSL certs and Smart Cards (this post)

Configuring Kerberos and AD delegation (next post)

Verifying WebConsole functionality blog posts – ReDirect, Authentication, SSL and Bindings

Mitigating SCOM vulnerabilities – Java, HSTS, ODBC

Knowledge Articles

How to Install Web Console from learn.microsoft.com for SCOM 2019, 2022

Holman’s SCOM quick start install guides for SCOM 2019, 2022

IIS Manager Authentication from learn.microsoft.com

Configuring SSL Certs and Smart Cards

Setup ‘SCOM WebConsole settings for secure authentication’, access, and rendering methods. I’ve setup the web console role with defaults, then come back later. Holman’s quick start lets you complete the role with default HTTP setup. After that, we add an SSL cert for HTTPS. Thirdly, employ aliases, or F5 load balancers to simplify user experience accessing the console. Fourth, setup SmartCards to help secure, also Kerberos authentication/delegation.

Part 1 – Start with the SSL certificate for https

Setup the ‘SCOM WebConsole settings for authentication’, beginning with a SSL certificate request for the server(s) in question. Add any SAN names/aliases you want (if not load balanced).

NOTE:

Use CA Auto-Enrollment templates to simplify SSL request whenever an internal or external SSL certificate is required for your organization. Generally, external certificates require manual effort executing the certreq script.

Sample SSL certificate

Less typing means less typos

Below SSL certificate example with any SAN names/aliases (if not load balanced). Simplify the SCOM web console link to https://SCOM/ versus https://SCOMSERVERName/OperationsManager

IIS manager server certificates with SAN DNSName aliases included.

Part 2 – Add authentication Smart Card in IIS

Next! – I will set up SmartCard role in ‘SCOM WebConsole settings for authentication’. Additionally, review the Learn.microsoft.com site for IIS here.

Compatibility

Version	Notes
IIS 10.0	The <iisClientCertificateMappingAuthentication> element was not modified in IIS 10.0.
IIS 8.5	The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.5.
IIS 8.0	The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.0.
IIS 7.5	The <iisClientCertificateMappingAuthentication> element was not modified in IIS 7.5.
IIS 7.0	The <iisClientCertificateMappingAuthentication> element of the <authentication> element was introduced in IIS 7.0.
IIS 6.0	The <iisClientCertificateMappingAuthentication> element replaces the IIS 6.0 IIsCertMapper metabase object.

Add the Client Certificate feature for the SCOM Web Console

Let’s add SmartCard authentication capability.

Open Server manager >

Click on Manage > Add roles/features (top right)

Scroll to the top right, and click on Manage, then 'Add Roles or features' — Scroll to the top right, and click on Manage, then ‘Add Roles or features’

Click Next twice to get to the Server Roles

Server Manager > Server Roles tab output

Expand Web Server drop down

SCOM Web Console Authentication installing Client Certificate Mapping role

Click the box to check ‘Client Certificate Mapping Authentication (Installed)’ and click Next twice (2) [ two times ]

Expand Server Manager > Web Server > Client Certificate Mapping Authentication

Click Install (mine is greyed out as it’s enabled)

Allow install to complete, server will prompt if reboot required.

NOTE: Either way, reboot is required to apply new authentication method.

Validate IISManager after reboot

Click on Authentication to verify ‘Active Directory Client Certificate Authentication’ is present and enabled.

IIS Authentication with Client Certificate Authentication (after role installed)

After reboot, verify ‘AD Client Certificate authentication’ method is enabled and visible.

From IISManager > Server > Authentication > Verify method is there and enabled

Verify Default Web Site Authentication setup

Verify Default Web site has Windows Authentication enabled.

Navigation steps:

IIS Manager > Expand Sites > Default Web Site > Authentication

Windows Authentication should be enabled, others disabled

Default Web Site Authentication showing Windows Authentication ONLY enabled

IIS Error 500 – Don’t let a vulnerability cause downtime with your SCOM web console

This article will help resolve security HSTS vulnerability CVEs on IIS10. The steps apply to Windows Server 2016+, to help resolve multiple vulnerabilities, including CVE-2023-23915 CVE-2023-23914 CVE-2017-7789. There are a few ways to configure IIS, and the blog post will show how to set up HTTP response, and HTTP redirect for the SCOM web console role’d server(s).

Setting HSTS on IIS10 to resolve with Server2016 1609

Open PowerShell window as Admin
cd c:\windows\winsxs
gci wow64_microsoft-windows-iis-shared* | ft Name

Example aim for latest directory
NOTE bottom entry based on software versioning

Example output
PS C:\windows\winsxs> gci wow64_microsoft-windows-iis-shared* | ft Name

Name
—-
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.0_none_48b28891ffe5bdae
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.1613_none_90c5a57843ef1621
wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.14393.5246_none_90f3a94643cc33e1

# AppCMD lines
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.enabled:True” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.max-age:31536000” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.includeSubDomains:True” /commit:apphost
.\appcmd.exe set config -section:system.applicationHost/sites “/[name=’Default Web Site’].hsts.redirectHttpToHttps:True” /commit:apphost

For Server2016 1709 and greater

To add the HSTS Header, follow the steps below:

Open IIS manager.
Select your site.
Open HTTP Response Headers option.
Click on Add in the Actions section.
In the Add Custom HTTP Response Header dialog, add the following values:
Name: Strict-Transport-Security
Value: max-age=31536000; includeSubDomains; preload
Or directly in web.config as below under system.webServer:

NOTE iisreset may be required to restart IIS and apply settings

Verify HTTP Response Headers

From IIS10 (IIS Manager) > click on ‘Default Web Site’ > HTTP Response Headers

Verify Strict-Transport-Security blurb matches

HSTS IIS10 HTTP Response Headers screenshot verifying settings applied

Set HTTP Redirect

Now to set the HTTP redirect, to prevent denial of service (DoS) attacks.

From IIS10 (IIS Manager) > Expand ‘Default Web Site’ > HTTP Redirect

Screenshot

Default Web Site HTTP Redirect to SCOM web console URL

From IIS10 (IIS Manager) > Expand ‘Default Web Site’ > go through each Application to set HTTP redirect

Screenshot

Set HSTS HTTP Redirect on other web applications

Test your web console URL to verify components

References

NIST CVE-2023-23915 CVE-2023-23914

Mitre CVE-2017-7789

Blog link https://inthetechpit.com/2019/07/17/add-strict-transport-security-hsts-response-header-to-iis-hosted-site/

Tag: HSTS

SCOM WebConsole settings for authentication