You are browsing the archive for 2013 April.

Avatar of alkin

by alkin

How to change SCOM reporting to use Kerberos instead of NTLM

12:06 pm in Uncategorized by alkin

One of the Domain admins at one of my customers was complaining about all the NTLM request generated by the scom server to the reporting server. One of the issues with NTLM is that you need to re-authenticate every time, with Kerberos you receive a ticket that is valid for a longer period of time (by default 10hours). You can find more info about NTLM VS Kerberos here: http://blogs.technet.com/b/authentication/archive/2006/04/07/ntlm-s-time-has-passed.aspx 

 

All the SQL servers at this customer are configured to use Kerberos but apparently when the SCOM reporting is being installed and modifying the RSReportServer config file it will change the authentication method as well back to NTLM!! Although Microsoft is recommending Kerberos over NTLM for almost 10 years now, new products like SCOM 2012 are still using NTLM!!

 

To change the report server authentication settings, edit the XML elements and values in the RSReportServer.config file.

You can find the file in the following location: C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer

 

clip_image002

Change the setting from RSWindowsNTLM to RSWindowsNegotiate

clip_image004

 

Important note Important

Using RSWindowsNegotiate will result in a Kerberos authentication error if you configured the Report Server service to run under a domain user account and you did not register a Service Principal Name (SPN) for the account. Make sure to create the SPN for the SQL reporting service as described here: http://blogs.technet.com/b/stefan_stranger/archive/2012/07/31/opsmgr-2012-what-should-the-spn-s-look-like-visual-representation.aspx

 

Thanks,

Alex


Avatar of alkin

by alkin

Cloud Service pack failed: Current user is not a valid Orchestrator user

9:46 am in SytemCenter by alkin

Microsoft released beginning of March the updated Cloud Service Process pack that is now fully compatible with System Center 2012 SP1. You can download the new process pack here: http://www.microsoft.com/en-us/download/details.aspx?id=36497   CSPP is an extension pack built on top of System Center. This release is compatible only with System Center 2012 and 2012 SP1. This release does not contain a new feature set from prior releases.

When I tried to install CSPP I got the following error:

clip_image001

I opened the log files of the CSSP setup that are located at the following location:

C:\Users\alex\AppData\Local\SCCloudServices\LOGS\SCCloudServicesSetupWizard07

When I search through the log file I discovered the following error:

clip_image003

03:12:25:Checking if current user is valid Orchestrator user or not
03:12:27:System.Runtime.InteropServices.COMException (0x800708AC): The group name could not be found.

My account is a local admin and I could perfectly connect to Orchestator and create and launch runbooks so I was quite suprised to see this error.

So I looked locally in computer managed and you need two groups: the first one is the OrchestratorSystemGroup and the second one is the OrchestratorUserGroup which apparently didn’t exist on my orchestrator server! This means the Orchestator pre-requisites checker is checking for a group which doesn’t exist locally!

clip_image005

So I created manually a new group and added my account to the group

clip_image007

clip_image009

After that I closed and re-opened the setup wizard and everything went through without any issues!

Hope this helps,

Alex

Visit Us On TwitterVisit Us On Linkedin