I have seen this issue several times, but as I always forget it after I’ve fixed it, I decided to make a blog post about it.
As far as I have learned this issue is due to a Kerberos double-hop. But, fear not! The solution is pretty simple:
Open IIS Manager, go to Operations Manager and click Authentication:
Mark Windows Authentication and then click “Providers…” in the right side
Move up NTLM so it is first.
No restart of the server or IIS is necessary. This action must be performed on all management servers with this issue.
Happy not-being-prompted-for-username-and-password’ing!
Hi Mike, I have followed your instructions and I’m still getting prompted for credentials. Our setup consists of 4 management servers and 2 web console servers using Windows 2012 servers.
Hi Abdul
Have you changed this on both web console servers?
Regards
Michael
its really helped for me
Hi Biju
Thanks for visiting. I’m glad I could help.
Thanks for this fix! I needed to clear the cache and restart IE first on impacted PC’s in order to get it working…cheers!
HI MIchael,
I am facing the same issue in my environment. The error i am getting while accessing the web console is below:
Please provide the following information to the support engineer if you have to contact Microsoft Help and Support :
Microsoft.EnterpriseManagement.Presentation.Security.ConnectionSessionException: Unable to create connection session.
It just keep asking for the login details and doesnt logs on to the portal.
Please help.
Thanks and regards
Rohit Tyagi
I had this problem. I tried everything suggested on here but none of it worked. I eventually found this page:
https://blogs.technet.microsoft.com/momteam/2008/01/30/running-the-web-console-server-on-a-standalone-server-using-windows-authentication/
It’s outdated but still applies to an extent. The following is what worked for me:
My Operations Web Console is on a separate server to the rest of SCOM. I had already added the SCOMSdkSvc SPNs using both NETBIOS name and FQDN of the management servers to the SDK account. I then went to the AD account of the server running the web console, went to the delegation tab and chose “Trust this computer for delegation to specified services only”. I selected “Use any authentication protocol” and pressed the Add button. I put in the SDK service account and chose the two SPNs that appeared.
With all that in, the OpsMgr web console is now automatically authenticating.
This fixed my issue. Thanks a lot for sharing.
I’m configuring the SCOM Dashboard Viewer Web Part, and I ran across your blog suggesting to place NTLM over Negotiate in the IIS settings hosting the Operations Manager Web Console. The blog doesn’t state specifically the reason why you would make these configuration changes or what it solves. What problem does this solve? I’m currently seeing an error message, “Unable to create connection session”.