How to Configure Integrated Windows Authentication for the VMM Self-Service Portal

Applies To: Virtual Machine Manager 2008, Virtual Machine Manager 2008 R2, Virtual Machine Manager 2008 R2 SP1

To eliminate login prompts when self-service users open the VMM Self-Service Portal or connect to a virtual machine that requires the same credentials in the Portal (by using the Connect to VM action or thumbnails in the Portal), you can configure Integrated Windows Authentication for the Self-Service Portal. If the VMM Self-Service Portal is on a different computer from the VMM server, you must set up constrained delegation for the VMM service account on the Web server.

The following procedures explain how to perform both tasks. Separate procedures are included for enabling Integrated Windows Authentication in IIS 7.0 and IIS 6.0.

Note

As an added convenience to your self-service users, you can eliminate prompts for credentials when they connect to virtual machines by using the Portal’s Remote Desktop action. To do this, you must enable single sign-on for Terminal Services on the client computer for each user. For more information, including procedures, see Single Sign-On for Terminal Services (https://go.microsoft.com/fwlink/?LinkId=143908).

To enable Integrated Windows Authentication in IIS 7.0

  1. In Administrative Tools, open Internet Integration Services (IIS) Manager.

  2. Navigate to the IIS Web server that hosts the VMM Self-Service Portal, expand Sites, and select the Web site: Microsoft System Center Virtual Machine Manager 2008 R2 Self-Service Portal (x64).

  3. In the Features View pane, double-click Authentication.

  4. On the Authentication page, click Windows Authentication. Then, in the Actions pane, click Enable.

    Note

    If Windows Authentication is not available, install the Windows Authentication Role Service for the Web Server (IIS) role.

  5. Disable all other authentication types.

If the Web server is running IIS 6.0, you will need to disable anonymous access in addition to enabling Integrated Windows Authentication.

To enable Integrated Windows Authentication in IIS 6.0

  1. In Administrative Tools, open Internet Information Services (IIS) Manager.

  2. Navigate to the IIS Web server that hosts the VMM Self-Service Portal.

  3. Under Web Sites, right-click Microsoft System Center Virtual Machine Manager 2008 Self-Service Portal, and then click Properties.

  4. In the Authentication access section, on the Directory Security tab, click Edit, and then do the following:

    • Select the Integrated Windows authentication check box.

    • Clear the Enable anonymous access check box.

Unless the VMM Self-Service Portal and the VMM server are on the same computer, use the following procedure to configure the VMM service account to be trusted for delegation in Active Directory. Constrained delegation establishes a trust relationship under which an Active Directory account is granted permission to delegate credentials to another specific service. In this case, the IIS Web server will be granted permission to delegate the connecting client’s credentials to the VMM server.

To configure the VMM service account to be trusted for delegation by Kerberos

  1. Create a Kerberos Service Principle Name (SPN) for the VMM server. To do this, at a command prompt, type the following, where vmmserviceaccount is either the machine account for the VMM server (if VMM is running as Local System) or the domain user account under which VMM runs:

    setspn –R <vmmserviceaccount>
    

    You should see output similar to the following:

    Registered ServicePrincipalNames for CN=Self Service
    Test,CN=Users,DC=contoso,DC=com:
            HOST/vmmserviceaccount
            HOST/vmmserviceaccount.contoso.com
    
  2. In Administrative Tools, open Active Directory Users and Computers, and then navigate to the computer account for the self-service Web server.

    Note

    If Active Directory Users and Computers is not listed, install the Active Directory Domain Services Tools feature. For instructions, see Installing Remote Server Administration Tools for AD DS (https://go.microsoft.com/fwlink/?LinkId=140463).

    Right-click the computer account for the self-service Web server, and then click Properties.

  3. On the Delegation tab, click Trust this computer for delegation to specified services only, and then click Use Kerberos only.

  4. Click Add, and then navigate to the SPN that you created in step 1.

  5. Select the HOST service type for your VMM server, and then click OK.

  6. On the IIS Web server that hosts the Self-Service Portal, create the following registry key. To open Registry Editor, click Start, click Run, and then type regedit.

    Warning

    Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft System Center Virtual Machine Manager Self-Service Portal\Settings
    Value Name:  VMMServerSPN
    Data Type: REG_STRING
    Value Data (example): HOST/vmmserviceaccount
    

See Also

Concepts

Hardening VMM Self-Service Web Servers