Wednesday, July 20, 2011

Four SCSM Self-Service Portal Solutions (certificate, redirect, alias)

When accessing the Self-Service Portal, typing https://servername/enduser into the browser address isn't acceptable for most organizations. This blog posts addresses 4 concerns of the self-service portal and how to resolve them. The information may be common to many IT Professionals; however, it was not common to me, as I have rarely been required to set up IIS sites in the past. I must also mention and thank the source for most of this information, Thomas Bianco, who has challenged me with (I think uncommon) Service Manager questions and answers.

1. Creating a DNS entry for your Self-Service portal
2. Properly creating a certificate to access the Self-Service Portal
3. Automatically redirecting to the end-user portal when typing in that alias
4.  Preventing the need to type in https in front of the site name

For each of these steps, we are going to assume the following:
Self-Service Portal Server Name: SCSM01
Website Name we want to use: ServiceManager.domain.local


1. Creating a DNS entry for your Self-Service portal
  1. Log into DNS for your Active Directory Domain
  2. Go to Forward Lookup Zones
  3. Select you domain
  4. Right click on your domain
  5. Select New Alias (CNAME)
  6. In the Alias Name box type "ServiceManager" (Without the quotes)
  7. In the Fully Qualified Domain Box Type "ServiceManager.domain.local" (Without the quotes)
  8. Click Ok
  9. To test, Browse to https://servicemanager/enduser
  10. You will still receive a certificate error, but should be able to click on to the site

2. Properly creating a certificate to access the Self-Service Portal
  1. Log onto you SCSM Self-Service Portal Server
  2. Start > Run > MMC > File > Add/Remove Snap-in
  3. In the list of snap-ins, select Certificates
  4. Click Add
  5. A window should pop up stating "This snap-in will always maange certificates for:"
  6. Select Computer Account > Next
  7. Select "Local Computer" > Next
  8. Finish
  9. Ok
  10. Expand Certificate (Local Computer) > Personal > Certificates
  11. Right Click > Request New Certificate
  12. Select the Certificate Enrollment Policy
  13. Next
  14. On the enrollment policy click the link labeled "More information is required to enroll for this certificate. Click here to configure settings."
  15. On the Subject tab, on the dropdown box under Type: Populate each field and add them as necessary
  16. Under Alternative name, under Type:  Select DNS
  17. Type in all the names that could be used to access the SSP. For example servicemanager, servicemanager.domain.local, SCSM01, SCSM01.domain.local
  18. Click Add
  19. Select the General Tab and populate the fields
  20. Select the Private Key Tab > Key Options Check the box "Make private key exportable
  21. Select the Certificate Authority Tab
  22. Select the correct certificate authority for your organization
  23. OK
  24. Back on the Certificate Enrollment Window check the "Web Server" box
  25. Click Enroll
Update the SSP with the new certificate
  1. Go to IIS Manager
  2. Select SCSMPortal
  3. Select Bindings
  4. On the HTTPS binding, click edit
  5. In the SSL certificate box, select you new certificate
  6. Click OK
  7. Click Close
The Certificate Error on the Self-Service Portal should no longer exist.


3. Automatically redirecting to the end-user portal when typing in that alias
  1. Open IIS Manager
  2. Select SCSMPortal
  3. Double Click HTTP Redirect (If HTTP Redirect in not installed, go to Roles, Add Features, Select HTTP Redirect)
  4. Check the box "Redirect requests to this destination"
  5. Type in "enduser\" (Without the quotes)
  6. Under redirect behavior make sure "Redirect all requests to exact destination" is UNCHECKED
  7. Under redirect behavior make sure "Only redirect requests to content in the directory" is CHECKED
  8. In the Status Code Select "Found (302)"
  9. Click Apply
  10. Go to the Analyst and enduser vitual directories under SCSMPortal
  11. Select HTTP Redirect
  12. Make sure "redirect requests to this destination" is UNCHECKED
  13. To Test type in https://servicemanager
  14. You should automatically be redirected to https://servicemanager/enduser

4.  Preventing the need to type in https in front of the site name

From Thomas:
[A Client] had a requirement to silently redirect users from their HTTP support site to the new HTTPS. It took me a few hours, but I found out an easy way to do this without redirecting to an absolute path that would break outside access through the firewall. First, I’m using the same redirect we worked out at [Client], then adding in the URL rewrite add-in from http://www.iis.net/download/URLRewrite. The HTTP redirect moves users who hit the website root down to the enduser virtual directory, and the rewrite directives moves connections from HTTP to HTTPS. The only downside is that people going to the root with HTTP get redirected twice, which takes about 1-4 seconds...Feel free to steal this for your blog.

Here's how:
  1. Open IIS Manager
  2. Select SCSMPortal
  3. Select bindings
  4. Click Add
  5. Type: http
  6. IP address: All unassigned
  7. Port: 80
  8. Host Name: Leave Blank
  9. Click OK
  10. If you get a warning about Port 80 being using on the default website, you may want to stop the default website or remove the binding from the default website
  11. Click Close
  12. Install the URL Rewrite utility from http://www.iis.net/download/URLRewrite
  13. Browse to the directory of the SCSM Portal
  14. Backup the web.config file
  15. Open the Web.config file
  16. Paste in the following and save the web.config file:
    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
    <system.webServer>
    <httpRedirect enabled="true" destination="enduser/" childOnly="true" />
    <rewrite>
    <rules>
    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
    <match url="(.*)" /> <!-- Require SSL must be OFF in the site settings -->
    <conditions>
    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
    </conditions>
    <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{REQUEST_URI}" />
    </rule>
    </rules>
    </rewrite>
    </system.webServer>
    </configuration> 

To test, simply type servicemanager into your browser. You should be redirected. 

Monday, July 11, 2011

Changing SCSM Portal Address

Great article on changing the SCSM portal Address
http://memoexp.wordpress.com/2011/03/30/changing-scsm-portal-address/



Ever have a customer request that they want the Self Service Portal to be a specific address, different from the one you’ve initially setup? Well, its not possible to change the URL. However what you can do is set up a CNAME in your DNS to accomplish this goal. Here is how to do it.

1. Go to the DC. Open up DNS under Administrative Tools. Under the DC, expand Forward Lookup Zones, then right click the folder with the domain name, select New Alias (CNAME).
image

2. Under Alias Name, type in the portal URL that you want. Then under target host, drill down and browse to your portal host name, which in my case is SCSM. Click Ok.
image

3. Go to the server which the Portal is installed. Launch IIS Manager, go to the Portal Sites, in my case, SCSMPortal, click onBindings on the right panel.
image

4. Click Add.
image

5. Select Type as httpsIP address as All UnassignedPort as 443. Then select the SSL certificate. Click Ok.
image

6. While highlighting your portal on the left pane, in my case SCSMPortal, Double click HTTP Redirect.
Note! HTTP Redirect is not installed by default for IIS7. To install it, go to Server Manager > Roles > Web Server (IIS), look for Add Role Services, you’ll find that you will have the option to install HTTP Redirection.
image

7. Check Redirect requests to this destination. Key in the full address of the Portal Site, click Apply on the right pane. If you’re not sure, its https:// + Full Computer Name + /enduser. So for my case it is https://scsm.systemcenter.local/enduser
(To get your Full Computer Name, Right click My Computer > Properties. You’ll see it there.)
image

8. Browse to the new URL which in my case is https://servicemanager, the portal should launch without problems.

P/s If you’re getting password prompts when using the new URL, then highlight the portal on the left pane, and double click onAuthentication. Select Basic Authentication and click on Enable on the right pane. Try using the new URL again, you shouldn’t get any prompts now.
image