Resolving FNMP remote console double hop issue

Resolving FNMP remote console double hop issue

Summary

Resolving FNMP remote console double hop issue

Symptoms

When attempting to logon to the FNMP remote console you receive the error:
(s0m0): FlexNet Manager Suite was unable to complete this operation. Ensure you have sufficient access to the FlexNet Manager Suite web services and database and please try again.
---System exception---
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
This occurs when your system matches the following criteria:
  1. Your SQL Server database is on a different server to your FNMP application
  2. In IIS you have Windows Authentication enabled

Cause

When users logon to the Remote Console using Windows Authentication (IWA) it creates an 'token' using Kerberos encryption which is what is used to logon to the FNMP server and this token credential is then forwarded to the database server to authenticate there as well.
This error occurs when the FNMP / Database servers haven't been configured to allow this communication to take place and so the token isn't sent from the FNMP server and so anonymous logon is used instead which is generally not permitted on the SQL Server. This issue is known as a double-hop issue.
For more information on double-hop issues, check this website: http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx

Resolution

To resolve this issue we need to configure the servers to allow the Kerberos token to be sent from FNMP to the database server.
First you need to ensure that delegation has been configured between the 2 servers. To do this go to Active Directory and under Computers (or Domain Controllers if the FNMP server is one) and access the properties of it. Under the Delegation tab choose the option: "Trust this computer for delegation to any service (Kerberos only)" then click Apply and OK.
What you then need to do is check to see if an SPN (Service Provider Name) has been configured on the servers. In the instructions below I will use the server name of "FLEXADMIN" for the FNMP server and "FLEXDB" for the database server however you should use your own server names.
  1. Open a command prompt
  2. Type "setspn -L FLEXADMIN" and press Enter / Return
  3. It should have a number of entries for the FNMP server beginning with http:// e.g. http/sesoco1115 sesosco1115
  4. If not then run the commands below in the command prompt

setspn -s http/flexadmin flexadmin
setspn -s http/flexadmin.your_domain.com flexadmin
setspn -s http/flexadmin:80 flexadmin
setspn -s http/flexadmin.your_domain.com:80 flexadmin

Now when you run setspn -L FLEXADMIN it should display the above values.
Next logon to the database server and open a command prompt. Run setspn -L FLEXDB.
Is should have something like MSSQLSvc/flexdb.your_domain.com and MSSQLSvc/flexdb.your_domain.com:1433

If using Windows 2008 R2 then in IIS > Authentication click on Windows Authentication and click 'Edit' on the right hand menu and un-check the option for "Enable Kernal-mode authentication"

Additional Information

The steps in this article apply if your ManageSoftWebServiceDirectoryService application pool in IIS is configured with a machine account e.g. NetworkService, LocalSystem etc. If you use a service account instead then the SPNs should be configured to use the service account instead of the FNMP server name (last part of the http/ SPN).

The MSSQLSvc SPN should be the account that runs the MSSQL service on the database machine - in this article it's again a machine account which is fine if the service runs as LocalSystem - if a specific user account is used then set the MSSQLSvc SPN to that same user account.


If the above steps fail then go to [HKLM\SOFTWARE\Wow6432Node\ManageSoft Corp\Compliance\CurrentVersion] and create a string called "ImpersonateDatabaseConnection" and set it to "False" then enable ASP Impersonation in IIS on the ManageSoftServices site and set the account to your service account. This will stop the users authenticating against the database individually and therefore will stop the double hop issue however they should still be restricted to whatever their roles assign them.

Labels (1)
Was this article helpful? Yes No
0% helpful (0/1)
Comments

This article needs to be clarified as follows:

1) Does the trusted for delegation apply to the web servers (web and app in a 3 server system) only or all 3 servers - including DB server.  

2) There need to be examples included where service accounts are used - 

@fstewart2 - this article is discussing information relevant to the operation of the remote console component with the FlexNet Manager Platform 9.x and earlier product range, and is not so relevant for FlexNet Manager Suite 2014 and later: these versions don't have the remote console component.

However if you really are using an old 9.x and earlier version, it is the web server that needs to be trusted for delegation. The database server does not perform any delegation, so doesn't need to be trusted to do that.

This was shared with me as applying to FNMS 2019, and i think the same issues apply (the double hop issue).  Its even described (but not as well) in the Enterprise Products integration guide.  That guide needs to get this article and this article needs help from that guide.  So its not clear that its version specific

Version history
Revision #:
1 of 1
Last update:
‎Oct 27, 2011 11:47 AM
Updated by: