SCAC 2012 SP1 in a LAB – Configuration Guide (Enable Single Sign-On)

How to Enable Single Sign-On for App Controller

By default, App Controller is enabled to prompt users to sign in by entering their Active Directory user name and password. The following procedures describe how to configure App Controller to use the user’s current Windows credentials to automatically sign on.

To verify or change the authentication method

Open IIS manager on the App Controller server.

Single Sign On 01

Select the App Controller website.

Single Sign On 02

Expand the website and select the /api node.

Single Sign On 03

Click Authentication.

Single Sign On 04

Enable Windows Integrated Authentication.

Single Sign On 05

Disable Basic Authentication.

Single Sign On 06

 

Here is a video walk through:

 

To turn on constrained delegation

Log on using an account that has OU Administrator privileges in Active Directory Domain Services. Ensure that this account is also granted the SeEnableDelegationPrivilege user right (for example, a domain administrator could run the command ntrights -u domainuser +r SeEnableDelegationPrivilege on a domain controller, where domain/user represent the domain and account name for the account).

In Active Directory Users and Computers, right-click the App Controller system and click Properties.

AppC Constrained Delegation 01

Click the Delegation tab.

AppC Constrained Delegation 02

Select the Trust this computer for delegation to specified services only option.

AppC Constrained Delegation 03

Select the Use any authentication protocol option.

AppC Constrained Delegation 04

Click Add and then do one of the following:

  1. If the VMM management server is running under the Local System account, enter the name of the VMM management server and select HOST, and then click OK.
  2. If the VMM management server is running under a domain account, enter the name of domain account and select SCVMM, and then click OK.

AppC Constrained Delegation 05

AppC Constrained Delegation 06

AppC Constrained Delegation 07

Restart the App Controller management server.

Here is a video walk through:

In my video above, you will see that the pass-through authentication didn’t work; as I was still prompted for a username and password. Below is an additional video showing the additional changes I had to make in Internet Information Services (IIS) to make the single sign-on / pass-through authentication to work.

%d bloggers like this: