Resolving Active Directory “Double Hop” Issues Which Occur if FlexNet Manager Suite and SQL Server are on Separate Computers

Important:You must perform this task if FlexNet Manager Suite 9.2.3 or earlier and SQL Server are installed on separate machines. This task is not necessary when using FlexNet Manager Suite 2015 and later.

To enable Windows Authentication with FlexNet Manager Suite, the user’s credentials need to authenticate in two places:

•

First “hop”—The user accesses IIS and authenticates into FlexNet Manager Suite.

•

Second “hop”—FlexNet Manager Suite then uses that user’s credentials to connect to the FlexNet Manager Suite database on SQL Server.

For security reasons, IIS is not permitted to pass credentials to a secondary server. Therefore, if FlexNet Manager Suite and SQL Server are not installed on the same machine, IIS will be unable to perform the authentication, and an error will be generated.

If your enterprise’s security protocols require you install FlexNet Manager Suite and SQL Server on separate computers, you will need to enable a trusted delegation on the FlexNet Manager Suite computer to resolve this issue.

Note:For more information, see How to use the System.DirectoryServices namespace in ASP.NET on the Microsoft Support site:

http://support.microsoft.com/default.aspx?scid=kb;en-us;329986

To enable a trusted delegation, perform the following steps on your FlexNet Manager Suite installation:

To enable a trusted delegation:

Disable Anonymous Authentication for the following sites in IIS:

•

ManageSoftServices

•

ECMBusinessPortal

•

Suite

•

SAPPortal

Ensure that only ASP.NET Impersonation and Windows Authentication are enabled for ManageSoftServices, ECMBusinessPortal and ManageSoftECM sites in IIS.

Clear the selection of the Enable Kernel mode authentication option for Windows Authentication on ManageSoftServices, ECMBusinessPortal and ManageSoftECM:

Note:You need to disable kernel-mode authentication because it only handles Kerberos authentication, but does not allow delegation. You cannot have both Kernel-mode authentication enabled and also support “double hop” authentication.

Create a new Active Directory service account for handling delegation access for FlexNet Manager Suite.

In IIS, modify the ManageSoftWebServiceAppPool to use the newly created service account.

Note:You can choose to re-use the FlexNet Manager Suite Service account instead of creating a new service account for the purpose of delegation.

Remove all existing Service Principal Names (SPNs) on <FNMP Admin Server> for IIS:

setspn -d http/<FNMP Admin Server> <FNMP Admin Server>

setspn -d http/<FNMP Admin Server>:80 <FNMP Admin Server>

setspn -d http/<FNMP Admin Server (Fully Qualified)> <FNMP Admin Server>

setspn -d http/<FNMP Admin Server (Fully Qualified)>:80 <FNMP Admin Server>

Run setspn against the new service account user to create a Service Principal Name for the IIS process:

setspn -u -s http/<FNMP Admin Server> <FNMP service account user>

setspn -u -s http/<FNMP Admin Server>:80 <FNMP service account user>

setspn -u -s http/<FNMP Admin Server (Fully Qualified)> <FNMP service account user>

setspn -u -s http/<FNMP Admin Server (Fully Qualified)>:80 <FNMP service account user>

Note:This will allow the FlexNet Manager Suite service account user to authenticate users accessing IIS.

Ensure that the SQL Server service account has the necessary SPN created so it can authenticate users accessing the SQL server:

setspn -l <SQL Server user service account>

It should list the following:

….

MSSQLSvc/<SQL Server Machine Name (Fully Qualified)>:1433

MSSQLSvc/<SQL Server Machine Name (Fully Qualified)>

….

Create an SPN for the flat name as well in case SQL Server has issues discovering the short hand name of the application server:

setspn -u -s MSSQLSvc/<SQL Server Machine Name>:1433 <SQL Server service user account>

setspn -u -s MSSQLSvc/<SQL Server Machine Name> <SQL Server service user account>

10.

Ensure that the SQL Server Reporting Services service account has the necessary SPN created so it can authenticate users accessing reports in the FlexNet Manager Suite web portals:

setspn -u -a http/<SQL Server Machine Name> <SQL Server service user>

setspn -u -s http/<SQL Server Machine Name>:80 <SQL Server service user>

setspn -u -s http/<SQL Server Machine Name (Fully Qualified)> <SQL Server service user>

setspn -u -s http/<SQL Server Machine Name (Fully Qualified)>:80 <SQL Server service user>

11.

Enable Kerberos authentication on the SQL Server Reporting Services reports. (By default, it is disabled.)

12.

On the SQL Server machine, edit:

<SQL Server Install Dir>\MSRS10_50.MSSLSERVER\Reporting Services\ReportServer\ rsreportserver.config

By default, it is installed at:

C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer

13.

Add the RSWindowsNegotiate authentication type. For example, the <Authentication> subsection in the file should look something like this:

</AuthenticationTypes>

<RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>

</Authentication>

14.

Allow delegation for the <FNMP service account user> so it can delegate the user authentication token from FlexNet Manager Suite to SQL Server and FlexNet Manager Suite to SQL Server Reporting Services.

First, add the SQL Server service to give delegation access to the <FNMP service account user>.

Then, add the SQL Server Reporting Services service to give delegation access to the <FNMP service account user>.

Note:It is not necessary to modify the delegation tab for the SQL Server service account.

The end result should look something similar to the following:

User Properties Dialog Box from Active Directory

Note:If you are performing a proof-of-concept demonstration of the integrated solution in a non-production environment, and need a quicker way to avoid “double-hop” issues, you can use a temporary solution, as described in Temporary Solution for “Proof of Concept” Lab Scenario to Address Double-Hop Issue with FlexNet Manager Suite Server.