Search This Blog

Wednesday, August 6, 2014

Problems with the 2012 R2 Web Consoles

This post is a little long, but I wanted to include as much pertinent error information as possible to help folks properly identify if they are encountering the same type of issue.

Recently upgraded our systems to SCOM 2012 R2 and encountered some issues with client connectivity to the web console. SQL is on a separate system from the management console. Web and Management Console is on the same system (for perspective on how our systems are distributed).

First, let's start with some of the errors I was seeing:

From a client, attempting to connect to the AppAdvisor console:

Error on the client:

An error has occured - The additional error information can be found int he Windows Application Log. We appologize for any inconvenience caused by this temporary service outage.


Warning on the SCOM management server when connecting to the AppAdvisor console:

Event code: 3005 Event message: An unhandled exception has occurred. Event time: 8/5/2014 9:38:10 AM :
Event time (UTC): 8/5/2014 4:38:10 PM :
Event ID: 20964fc40f3c43348ccff13e467e259a :
Event sequence: 7 :
Event occurrence: 1 :
Event detail code: 0 :
:
Application information: :
Application domain: /LM/W3SVC/1/ROOT/AppAdvisor-1-130517302775480349 :
Trust level: Full :
Application Virtual Path: /AppAdvisor :
Application Path: C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\WebConsole\AppDiagnostics\AppAdvisor\Web\ :
Machine name: SCOM-MS01 :
:
Process information: :
Process ID: 4332 :
Process name: w3wp.exe :
Account name: NT AUTHORITY\NETWORK SERVICE :
:
Exception information: :
: Exception type: WebException :
Exception message: The request failed with HTTP status 401: Unauthorized.:
:
Request information: :
Request URL: http://scom-ms01/AppAdvisor/Pages/ReportService/ReportServicePageImpl.aspx?_r=&_c=g&_pg=436ac5a4-3e70-41b9-9fe1-5a5c96724dc0&_s=2C369460 :
Request path: /AppAdvisor/Pages/ReportService/ReportServicePageImpl.aspx :
User host address: :
User: :
Is authenticated: True :
Authentication Type: Forms :
Thread account name: NT AUTHORITY\NETWORK SERVICE :
:
Thread information: :
Thread ID: 17 :
Thread account name: NT AUTHORITY\NETWORK SERVICE :
Is impersonating: False :

Similarly, I received that error when connecting to the AppDiagnostics site as well:

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 8/5/2014 9:32:02 AM
Event time (UTC): 8/5/2014 4:32:02 PM
Event ID: 67e2d2ba9c4842c3bc041c62bad932e3
Event sequence: 8
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/AppDiagnostics-2-130517299136496487
Trust level: Full
Application Virtual Path: /AppDiagnostics
Application Path: C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\WebConsole\AppDiagnostics\Web\
Machine name: SCOM-MS01

Process information:
Process ID: 8048
Process name: w3wp.exe
Account name: IIS APPPOOL\OperationsManagerAppMonitoring

Exception information:
Exception type: OleDbCommandException
Exception message: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Command text: Select CONFIGID, CONFIGNAME, CONFIGVALUE From apm.CONFIG
Connection: Provider=SQLOLEDB;Server=scom-sql;database=OperationsManager;Integrated Security=SSPI;

Request information:
Request URL: http://scom-ms01/AppDiagnostics/Pages/Authenticate.aspx?ReturnUrl=/appdiagnostics
Request path: /AppDiagnostics/Pages/Authenticate.aspx
User host address:
User:
Is authenticated: False
Authentication Type:
Thread account name: IIS APPPOOL\OperationsManagerAppMonitoring

Thread information:
Thread ID: 9
Thread account name: IIS APPPOOL\OperationsManagerAppMonitoring
Is impersonating: False

And finally, on the primary /OperationsManager web console, I'd receive an authentication error. The client would be prompted multiple times for a username and password and eventually bomb out.

 
Server Error - 401 - Unauthorized: Access is denied due to invalide credentials. You do not have permission to view this directory or page using the credentials that you supplied.
 
Solving the problem.

First step was a prerequisite for both the AppAdvisor and AppDiagnostic issues.
  1. Open the IIS console on the web console server
  2. Select "Application Pools"
  3. Select "OperationsManagerAppMonitoring"
  4. If you are receiving the errors and the application pool "Identity" is set to "ApplicationPoolIdentity", with the OperationsManagerAppMonitoring pool highlighted, select "Advanced Settings" option in the action pane.
  5. Under "Process Model", change the Identity from ApplicationPoolIdentity to "NetworkService"
  6. Run an IISReset at an administrator (elevated) command prompt
At this point, the AppDiagnostic website started working, but the AppAdvisor site did not. I had to perform additional steps for that site.
  1. Open the IIS console on the web console server
  2. Select and expand the site (Default Web Site on my server) where the Operations Manager web console is installed.
  3. Select the virtual directory named "AppAdvisor"
  4. Open the "Authentication" applet
  5. If not already enabled, enable the "Anonymous" and "ASP .NET Impersonation" methods
  6. Run an IISReset at an administrator (elevated) command prompt
Final piece to get into the Operations Manager web console was to adjust an IE setting, oddly enough. To fix this portion, I took the following steps:
  1. Open "Internet Options" in Internet Explorer
  2. Select the "Advanced" tab
  3. Scroll almost all the way down and uncheck the box for "Enable Integrated Windows Authentication"
After these adjustments, all web consoles were available for remote clients.