CCS Web Console Configuration Best Practices

book

Article ID: 180721

calendar_today

Updated On:

Products

Control Compliance Suite Windows

Issue/Introduction

 

Resolution

 

About the Control Compliance Suite Web Console prerequisite and settings

This article explains the following:

Note: CCS requires Service Principle Names (SPN) to be configured for other services. In the context of Web portals, all SPN references in this document are related to HTTP SPNs.

 

Prerequisites for Web Console settings

 

 

Settings

Action

Internet Explorer (IE)

To configure IE settings, do the following:

  • Add the CCS Web portal URL to the Local intranet.
  • Enable Windows Integrated Authentication.
  • Do one of the following:
    • Enable Automatic logon with current user name and password.
    • Enable Automatic logon only in Intranet zone.
  • Enable Active scripting for JavaScript execution.

Internet Information Services (IIS)

On Windows Server 2008, the options Windows Authentication and Static Content Compression must be checked.

 

If they are not, do the following:

  • Go to Start > Administrative Tools > Server Manager > Roles > Web Server (IIS).
  • In the Web Server (IIS), click the Add Role Services link.
  • In the Select Role Services dialog box, do the following:
    • Go to Security (Installed) and check Windows Authentication.
    • Go to Performance (Installed) and check Static Content Compression.

Computer

To register the application with IIS, do the following:

  • Windows Server 2003 (32-bit): %systemroot%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe –i –enable
  • Windows Server 2003 (64-bit):

On a 64-bit computer, you must set the option ‘Enable32BitAppOnWin64’ to true before installation.

·         To set the option to true, do the following:

cscript.exe %systemdrive %\Inetpub\AdminScripts\adsutil.vbs set W3SVC/AppPools/Enable32BitAppOnWin64 true

·         To install the application, do the following:

%systemroot%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe –i –enable

·         To register the IIS components, do the following:

C:\WINDOWS\Microsoft.NET\Framework64

  • On a Windows Server 2008, you can install the application on either a 32-bit or a 64-bit computer. To do this, you can set the role services for Web Server (IIS) through the Server Manager on the same computer.

 

Prerequisites for Active Directory settings
Service Principle Name (SPN)
 
Configuration
Service account SPN
Computer account  SPN
Enable computer for delegation
Windows 2003 (IIS 6)
Yes
NA
NA
Windows 2008 (IIS 7) and Windows 2008 R2 (IIS 7.5)
Kernel mode disabled
Yes
NA
NA
Windows 2008 (IIS 7) and Windows 2008 R2 (IIS 7.5)
Kernel mode enabled
NA
Yes (Conditional option)
Yes (Conditional option)

 

 

 

 

 

 

 

 

To configure SPN for Service account, execute the following commands:
  • SetSpn.exe -a http/<Application_Server_NetBIOS_ name> DomainName\UserName
  • SetSpn.exe -a http/<Application_Server_Fully qualified_name>DomainName\UserName
To configure SPN for Host, execute the following commands:
  • SetSpn.exe -a http/<Application_Server_NetBIOS_ name>  <Application Server NetBIOS name>
  • SetSpn.exe -a http/<Application_Server_Fully qualified_name> <Application Server NetBIOS name>
Note: Computer account SPN is required in case you are not using the default HTTP path. For more information visit: http://support.microsoft.com/kb/929650.
Enable computer for delegation only if the Directory Server and the Application server are on different computers. 
To enable computer for delegation, do the following:
  • Go to Active Directory Users and Computers > Domain > Computers and select the IIS server.
  • Right-click Properties  and select Delegation.
  • Select Trust this Computer for delegation to any service (Kerberos only).
Note: This option appears only if the domain functional level is Windows Server 2003.
Troubleshooting
The best practices for responding to SPN related common issues.
Detecting duplicate SPNs or incorrect SPNs
 
  1. Open ADSIEdit.
  2. In the Server name text box, enter a domain name and enter 389 as the port.
  3. In the Naming context text box, specify DN of the domain.
For example, DC=mydomain, DC=microsoft, DC=com
  1. Right-click on Connection and create a new query.
  2. Select Domain as root for search, Query scope = subtree search, and Query string = servicePrincipalName= <Service name>/<machine name>
  3. Run step 5 where Service name = http, Symantec.CSM.AppServer & Symantec.CSM.DSS and computer name = NetBIOS computer name and FQDN.
For example, servicePrincipalName = Symantec.CSM.AppServer/CCSAppservermachine
The query returns one entry. More than one is a duplicate entry and if it returns no result, it means there is no SPN set.
 
Resetting the application pool to view the new fields on the Web console
  • Open IIS manager snap-in.
  • Click Application pools.
  • Recycle CCS web pools.
 
Segregating SPN related issue and other Web portal issue
  • Launching the Web portal issue is not related to SPN. 
  • Policy module is the only workspace that requires SPN.
  • Dashboard uses netTCP to communicate to the database.