Submit a ticketCall us
Home > Success Center > Orion Platform > Orion - Knowledgebase Articles > Unable to log in to the Orion Web Console using Smart Card Authentication

Unable to log in to the Orion Web Console using Smart Card Authentication

Updated September 14, 2018

Overview

When you try to log in to the SolarWinds Orion Web Console using Smart Card Authentication to retrieve your scheduled reports, the procedure fails. 

Most government or Dept of Defense (DoD) users require Smart Card Authentication in compliance with the Defense Information Systems Agency (DISA) and the Security Technical Implementation Guide (STIG) Compliance rules on authentication and security.

Environment

  • Any Core product used with Smart Card Authentication and Microsoft Internet Information Service (IIS).

Cause 

  • The Report Scheduler task is performed by the Orion Module Engine, which runs under the Local System Account. This account does not support Smart Card Authentication.
  • The Orion Report Scheduler requires Forms authentication to be enabled within Microsoft IIS.
  • When utilizing the Smart Cart Authentication by default only Windows Authentication can be enabled for Compliance purposes.

Resolution

Create a second SolarWinds website on a custom port within IIS that can only be accessed internally on the server by authenticated users and built-in Microsoft system accounts. (© 2018 Microsoft Corporation., available at http://www.microsoft.com/, obtained on September 14, 2018)

This workaround is compliant with the requirements mentioned in this article.

  1. Log in to your SolarWinds server.
  2. Open Microsoft IIS.
  3. Rename your current Solarwinds NetPerfMon Website. 
    For example:
    SolarWinds (CAC)
  4. Open the SolarWinds Configuration Wizard.
  5. Select website only, and click Next.
  6. In the Website Settings window, enter a port number that is not identical to the SolarWinds (CAC) website port.
    clipboard_e637deb644fac2d92592a3e395633349a.png
  7. Select an SSL certificate to use for the new website. 
    The certificate can be the same as your SolarWinds CAC website.
  8. Click Next to create a new website.
  9. Complete the wizard. 
  10. Open Microsoft IIS.
    You now have two SolarWinds websites using the same application pools, website directories, and files as your SmartCard-approved website.
    clipboard_e9f87e385a8249f8ef062103102d8a9e9.png
  11. On the Solarwinds CAC website, configure your Smart Card Authentication.
    See Set up Smart Card (CAC/PKI) user authorization and STIG security for Orion 2017.1+ for details. 
  12. Access the IIS Authentication Settings. 
    See Security Authentication <authentication> for details. (© 2018 Microsoft Corporation., available at http://www.microsoft.com/, obtained on September 14, 2018)
  13. Enable Forms Authentication for the SolarWinds NetPerfMon website. 
    This process allows you to receive scheduled reports. 
  14. Configure the SolarWinds Report Scheduler to use your Solarwinds NetPerfmon website for sending scheduled reports.
  15. Open Database Manager or any database management tool
  16. Navigate to:
    dbo.Websites
  17. Open the websites table.
    The WebsiteID in this table for the Solarwinds NetPerfMon uses custom port 444 (or the port you entered in step 6).
  18. In database manager, open the dbo.ReportJobs table.
  19. Edit the last column 'WebsiteID' to that of the ID for Solarwinds NetPerfMon, which has the forms authentication enabled.
    When you send a report, it will be sent using the Website that allows forms authentication. Also, the Module Engine will now be able to log in to the website and generate the report.
  20. In the Orion Web Console, navigate to Settings > Manage Reports > Schedule Manager > Edit Schedule.
  21. Edit your running report schedules and change the account used for running the reports to an Orion account. 
  22. For additional security, SolarWinds recommends editing the bindings of the non-CAC website so the site can only be accessed when you log in to the SolarWinds server. When completed, users who have remote desktop access to the SolarWinds server can access this non-CAC-compliant website because the website will not respond to any connection other than Localhost or 127.0.0.1. 
    clipboard_e13c526894bca3d78a24973f5323594eb.png
  23. Click OK to save your changes. 
 
Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.
 

 

Last modified

Tags

Classifications

Public