Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Network Performance Monitor (NPM) > Setup SSL and enable Smart Card (CAC/PKI) user authentication for Orion Web Console

Setup SSL and enable Smart Card (CAC/PKI) user authentication for Orion Web Console

Updated October 12th, 2016

Overview

This article describes how to set up SSL for Self-Signed, Domain Certificate or from Root CA, and set up and troubleshoot Smart Card Authentication setup and login.

 

Environment

Windows Server 2008 R2, 2012, and 2012 R2

Steps

Note: SSL must first be set up on the Web Console for a secure connection.

Prerequisites

Verify that you have the following set up before performing the steps in this procedure:

  • Add at least one Active Directory account to the Web Console before attempting. When all steps are enabled, the Admin account will not be able to log in.
  • Automatic Logon is enabled, or you run through the Setup Configuration Wizard for the next steps.

Note: After this procedure is enabled, remember that the next time that you run the configuration Wizard, in the Website Settings, select Skip HTTP Binding. If you forget to do this (this is included in the documentation below), secure the site for authentication access and Phase II will need to be redone.

Phase I: SSL certificate setup

Go into IIS

  1. Go to Start > Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
  2. Select the server.
  3. Select Server Certificates.

 

Create a Domain Certificate (if you have a valid CA in the Domain, use this option)

  1. On the right under Actions, select Create Domain Certificate.
  2. Enter Common Name.
    • Should be the host name or the fully qualified name that the users will use to connect.
    • Required to match the name of the Web URL for all functions to work.

  3. Enter the Organization, Organizational Unit, City, State and Country. 
  4. Select Next.
  5. Select the Select button and select the Certificate Authority. If you do not see anything to select, create a Self-Signed Certificate.
  6. Enter a Friendly Name. This name will be accessed under Set Web Server Certificate’s Step 8.

 

Create a Self-Signed Certificate (select if the system is not on the domain)

  1. On the right under Actions, select Create Self-Signed Certificate.
  2. Enter a Friendly Name.
    • Should be the host name or the fully qualified name that the users will use to connect.

    • Note that Self-Signed will almost always show a certificate issue, due to a lack of a trust relationship.

 

Set Web Server Certificate

  1. In IIS, expand the Server and Sites.
  2. Select Solarwinds NetPerfMon.
  3. Right-click and select Edit Bindings.
  4. Select Add.
  5. Change Type to https.
  6. IP Address All Unassigned.
  7. Port 443.
  8. SSL Certificate select the certificate Friendly Name.

 

Secure the Site for Authentication Access

  1. Expand the Sites folder to SolarWinds NetPerfMon.
  2. Under IIS, select Authentication.
  3. Disable Anonymous Authentication.
  4. Disable Forms Authentication.
    Note: If your environment requires forms authentication, attempt these configuration changes with forms authentication enabled.
  5. Enable Windows Authentication. 
  6. Click the back button on the top of the screen to return to the SolarWinds NetPerfMon Home view.
  7. Click SSL or SSL Settings.
  8. Click Require SSL.
  9. Click Required under Client Certificates
  10. In Internet Explorer, click Tools -> Internet Options and then add the Orion website to the Local Intranet and Trusted Sites.
  11. Set browser to Orion https target
  12. Use https://<SSLCertificateFriendlyName>/Orion/Login.aspx to navigate to the Orion SSL website.

 

Phase II: SQL Server database change to reflect SSL enabled and new URL

Configure the Orion database to allow SSL

  1. Log in to your Orion server using an account with administrative rights.
  2. Click Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
  3. Click Shutdown Everything.
    Note: It may take a few minutes to stop all services.
  4. Click Start > All Programs > SolarWinds Orion > Advanced Features > Database Manager.
  5. Click Add Default Server.
  6. Expand your Orion database in the left pane. Default Database names will be SolarwindsOrion or NetPerfMon.
  7. Right-click the Websites table, and then click Query Table.
  8. Select Execute.
  9. Next you are going to reference back to the SSL Certificate Friendly Name, this name will go into the <ServerName> Field. If you do not know, do not update this column.
  10. Replace the default query with the following query: 
    UPDATE dbo.Websites SET ServerName='servername', Port='443', SSLEnabled=1 WHERE Type='primary'
  11. Click Execute Query.
  12. Right-click the Websites Table again and select Query Table, and Select Execute query.
  13. Verify that the ServerName appears as correct, and a Port is set and if SSL is to be required that it is set to 1.

 

Phase III: Update SolarWinds Services to the new URL

  1. Restart the services so that the Alerting and Reporting System will utilize this new URL for all actions. The Orion Web Link in the start menu will be updated at this same time.
  2. Click Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
  3. Click Start Everything.

 

Setup Configuration Wizard for the next use

If you want to make sure that the next person that runs the Configuration Wizard does not undo your changes, please run through the wizard one time.

  1. Go to Start> Programs> Solarwinds Orion> Configuration and Auto-Discovery> Configuration Wizard.
  2. Select Website, and select Next.
  3. In Websites Settings ,change Windows Authentication to Yes to enable Automatic Login.
  4. Select the Checkbox to Skip HTTP Binding.
  5. Select Next. If any dialog displays about a website existing, select Yes.
  6. Select Next to start the Wizard, when Optimize Website shows up, select Skip.

 

Phase IV: Test to make sure it all works

  1. Open a browser on your workstation to the URL.
  2. Enter a domain/User that was already added in Orion.
  3. You should now be at the Summary Screen.

 

Troubleshoot Issues

Configuration Wizard Reports Web Request for /Orion/Login.aspx failed

 

The Configuration Wizard will from here on erroneously report Web Request for /Orion/Login.aspx failed. Ignore this message in Configuration Wizard, it still works. This is due to the Authentication and SSL change in Phase I setup.

 

If you believe that this is an issue, you can go into C:\ProgramData\SolarWinds\Logs\Orion\ConfigurationWizard.log. Search for Web Request for /Orion/Login.aspx failed. The same line may report No connection could be made because the target machine actively refused it 127.0.0.1:80, this means that Port 80 http is not available. You can enable Port 80 http to have this error disappear.

 

From Phase I

  • If you are seeing the following problems, these are all related to the SSL Certificate Friendly Name not matching the URL, or there is no CA trust. Please re-create the certificate to match the URL that all users will be connecting.
    • Internet Explorer: Red X, There is a problem with this website’s security certificate

    • Google Chrome: Your Connection is not private message

    • Firefox: Untrusted Connection or Your Connection is Untrusted

  • If the SSL Certificate shows as invalid or has a Red X, Export to PDF and Reports may not function correctly. Friendly Name needs to match URL.

 

If you only see a white screen after these steps, you may have missed some steps. Please refer back to Require SSL and change it back to Ignore. The Web Console will load as before.

 

From Phase III

If the user cannot select the Certificate or it does not prompt, it is due to browser settings.

 

Internet Explorer:

  1. Select the Alt Key to bring up the Menu (IE 10 and newer), then select File> Properties.
  2. Look for Zone, this is needed for Step 5.
  3. Select the gear or Settings> Internet Options.
  4. Select the Security Tab.
  5. Select the Zone that was seen in Step 2 and select Custom Level. You can promote the site to Trusted for better security.
    1. Select Close.

    2. Select Add.

    3. Select Sites.

    4. Select Trusted Sites.

  6. Scroll to the bottom, last option is User Authentication.
    1. If the User only has 1 certificate and wants it auto-selected (this will login the account that they are logged on the OS with), select Automatic Logon with current user name and password

    2. If the User wants to select and have a choice for certificates, select Prompt for User name and Password

  7. Refresh or restart the browser. You may need to clear the cache for the change to take effect.

 

Mozilla Firefox (only needed if it fails):

  1. In the Firefox address bar, enter about:config.
  2. In the Filter field, enter network.automatic-ntlm-auth.trusted-uris.
  3. Double-click the Preference Name listed (network.automatic-ntlm-auth.trusted-uris)
  4. In the Enter string value window, enter a comma-separated list of the URLs of the Orion Web Consoles to which you want to enable AD access, as shown in the following:
    https://OrionServer1,http://OrionServer2,https://OrionWANMonitor
  5. Click OK.
    Note: You may need to restart Firefox for this configuration to take effect

 

Everyone else can login except for a few users. If the user sees the following error, Group Policy has blocked the user from accessing the System. IIS leverages the same Authenticate access as if a user was logging into the system.

User is required Interactive Logon for this system.

  1. Open up Group Policy Manager, whether on the System Directly or through GPO.
  2. Go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
  3. Check Security Settings to ensure that accounts are not denied Login Access.
  4. Other Interactive Login Errors can be referenced back to the Event Log on the Solarwinds Server and the Event ID. Use this Microsoft Page to identify what setting is causing the issue based on the Event ID or Message. Interactive Logon Tools and Settings: Logon and Authentication. (© 2016 Microsoft, available at https://technet.microsoft.com/en-us, obtained on October 28, 2015.)

 

  • If you are prompted for your account username and password after entering your pin, enable Windows Account Automatic Logon. Go to Settings> Web Console Settings> Windows Account Login set to Enable Automatic Login and Select Submit at the bottom. If you repeat this step after running the Configuration Wizard, follow the steps under Setup Configuration Wizard for the next use.
  • If you cannot add any users to the Web Console and your domain is configured with enforcing Smart Card Logon for all users and you are unable to provide a username and password to search the Active Directory, refer to Solarwinds Orion Core: Add Windows account to Web Console when "Force Smart Card logon" is setup on a Forest or Domain.

 

Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.
 

 

Last modified
14:44, 10 Apr 2017

Tags

Classifications

Public