HTTP 500 error when you connect to the Operations Manager web console remotely
This article provides a resolution to solve the HTTP 500 error that occurs when you connect to the Operations Manager web console remotely.
Original product version: System Center Operations Manager
Original KB number: 4487099
Symptoms
You install a stand-alone Operations Manager web console on a server. When you connect to the web console at http://<web_host>/OperationsManager from a remote computer, you receive the following error message:
500 - Internal server error.
This issue doesn't occur if you connect to the web console from the web console server.
Resolution
To fix the issue, perform the following configurations and verifications, and then connect to the web console again:
- Register the SDK SPNs.
- Verify the SDK SPNs.
- Register the HTTP SPNs.
- Verify the HTTP SPNs.
- Configure constraint delegations.
- Verify "Account is sensitive and cannot be delegated" isn't set.
- Disable Kernel-mode authentication in IIS.
Note
The following sample names are used in the configuration and verification steps. You have to replace them with the names in your environment.
- SCOMMS.Lab.Local - The fully qualified domain name (FQDN) of the System Center Operations Manager (SCOM) management server
- SCOMWeb.Lab.Local - The FQDN of the server that hosts the SCOM Web console
- Lab\SDKSvc - SCOM Data Access Service account (Optional)
- Lab\SCOMAppPool - SCOM Application Pool Identity account (Optional)
https://mySCOM.Lab.Local/OperationsManager- URL that's used to access the Operations Manager Web console (If there's no URL, substitute this with the Operations Manager Web console server name.)
SDK SPNs
Register the SDK SPNs
To register the System Center Data Access (SDK) Service Principal Names (SPNs), run the following commands according to different scenarios:
Scenario 1
The SDK service runs under a LocalSystem account
Setspn.exe -S MSOMSdkSvc/SCOMMS SCOMMS Setspn.exe -S MSOMSdkSvc/SCOMMS.Lab.Local SCOMMSScenario 2
The SDK service runs under a domain account (SDKSvc)
Setspn.exe -S MSOMSdkSvc/SCOMMS SDKSvc Setspn.exe -S MSOMSdkSvc/SCOMMS.Lab.Local SDKSvc
Verify the SDK SPNs
To verify if the SDK service is registered, run the following command according to different scenarios:
Scenario 1
The SDK service runs under a LocalSystem account
Setspn.exe -L SCOMMSScenario 2
The SDK service runs under a domain account (SDKSvc)
Setspn.exe -L SDKSvc
HTTP SPNs
Register the HTTP SPNs
To register the HTTP SPNs, run the following commands according to different scenarios:
Scenario 1
The Web console application pool runs under the default identity (ApplicationPoolIdentity)
Setspn.exe -S HTTP/mySCOM SCOMWeb Setspn.exe -S HTTP/mySCOM.Lab.Local SCOMWebScenario 2
The Web console application pool runs under a custom identity (Lab\SCOMAppPool)
Setspn.exe -S HTTP/mySCOM SCOMAppPool Setspn.exe -S HTTP/mySCOM.Lab.Local SCOMAppPool
Verify the HTTP SPNs
To verify if the HTTP service is registered, run the following command according to different scenarios:
Scenario 1
The Web console application pool runs under the default identity (ApplicationPoolIdentity)
Setspn.exe -L SCOMWebScenario 2
The Web console application pool runs under a custom identity (Lab\SCOMAppPool)
Setspn.exe -L SCOMAppPool
Configure constraint delegations
To configure constraint delegations, follow these steps:
Start the Active Directory Users and Computers console.
In the console tree, select Computers.
Open the properties according to different scenarios:
Scenario 1: The Operations Manager web application pool runs under the default identity (ApplicationPoolIdentity)
Right-click the computer where the web console is installed (SCOM Web) and select Properties.
Scenario 2: The Operations Manager web application pool runs under a custom identity (Lab\SCOMAppPool)
Right-click the user that's configured on the custom identity (Lab\SCOMAppPool) and select Properties.
In the details pane, select Delegation.
On the Delegation tab, select Trust this computer for delegation to specified services only, and then select one of the following options accordingly:
Kernel-mode authentication is enabled: Use any authentication protocol
Kernel-mode authentication is disabled: Use Kerberos only
For more information, see Disable Kernel-mode authentication in IIS.
Select Add.
In the Add Services dialog box, select Users or Computers.
In the Select Users or Computers dialogue box, specify the account according to different scenarios:
Scenario 1: The SDK service runs under a LocalSystem account
Select the computer account of the SCOM management server (SCOMMS) and select OK.
Scenario 2: The SDK service runs under a domain account (SDKSvc)
Select the domain account that the SDK service runs under and select OK.
In the Add Services dialog box, select the service type MSOMSdkSvc and then select OK.
Select OK to close the Properties dialog box.
Verify "Account is sensitive and cannot be delegated" isn't set
To verify that the user logging into the Web console doesn't have Account is sensitive and cannot be delegated set, follow these steps:
- Start the Active Directory Users and Computers console.
- Right-click the user account that's used to connect to the Web console, and then select Properties.
- Select Account.
- In the Account options dialogue box, confirm that the Account is sensitive and cannot be delegated checkbox isn't selected.
Disable Kernel-mode authentication in IIS
To disable Kernel-mode authentication for both MonitoringView and OperationsManager in IIS, follow these steps:
- In IIS Manager, navigate to Default Web Site\MonitoringView.
- Double-click Authentication.
- Select Windows Authentication.
- In the Actions pane on the right, select Advanced Settings.
- Clear the Enable Kernel-mode authentication checkbox.
- Navigate to Default Web Site\OperationsManager, and repeat steps 2 through 5.