Setup SSL and Enable Smart Card (CAC/PKI) User Authentication for Orion 2017.1+

Version 8

    Author’s Note: This is for Orion Core 2017.1 and higher. For older versions, please go here.


    PURPOSE: Orion uses Self Signed SSL by default. This guide is to walk-through setup to use a Domain Certificate or from Root CA, and setup and troubleshoot Smart Card Authentication Setup and Login. This also covers some additional steps needed for Single Sign on for Smart Card Authentication.




    Please make sure that you have the following setup prior to this document.


    Recommended to enable TLS 1.2 prior to enabling SSL. Same registry setting should be used on the SQL Server in addition to the Solarwinds Server if SSL connection is used.

              Restart is required to take effect.


    Browsers Tested:

    • Internet Explorer (best to use for testing/verification)
    • Mozilla Firefox
    • Google Chrome
    • Opera, Vivaldi.


    PHASE 1: Create Certificate


    Create the certificate


    IIS SHA1 certificate creation. Please create a certificate

    Go into IIS:

      1. Go into Start> Control Panel> Administrative Tools> Internet Information Services (IIS) Manager
      2. Select the Server
      3. Select Server Certificates

    Create a Domain Certificate (if you have a valid CA in the Domain, use this option)

      1. On the Right under Actions, Select Create Domain Certificate.
      2. Enter Common Name
          • This should be the hostname, fully qualified domain name, or name that will become a DNS CNAME that the users will connect.
          • A short name is possible, if you have a CNAME record in the DNS Server to resolve the short name to the Solarwinds Server.
          • The Common Name is required to match the name of the Web URL for all functions to work and for the site to be considered safe and trusted.
      3. Fill in Organization, Organizational Unit, City, State and Country. This just needs information filled in, does not need to be factually correct.
      4. Select Next
      5. Select the Select button and select the Certificate Authority.
        1. If you do not see anything to select, please create a Self-Signed Certificate.
      6. Enter a Friendly Name
        1. This name will be accessed under Set Web Server Certificate’s Step 8 and every-time you run the Configuration Wizard on Website.


    Microsoft Management Console method (SHA256 Support)

    Note: If you want to setup for SHA256, Please use other online guides for setup of Certificate Authority Certificate template for IIS in sha 256.

         Quick Run down:

      1. Run as a User with Certificate Creation abilities, Run Command Prompt as another User and login, enter MMC     
      2. In the Microsoft Management Console, Select File> Add/Remove Snap-In, Double click Certificates, Computer Account, select Local Computer, Finish.
      3. Click Certificates> Local Computer> Personal> Certificates.
      4. Right Click in the white space on the Right, select All Tasks> Request New Certificate.
      5. Select Next> Active Directory Enrollment Policy, Next
      6. Expand the Web Server Template (or custom Template with Application policies: Server Authentication) Select Properties.
      7. Enter a Friendly Name
        1. Go into Personal> Request a new Personal Certificate.
        2. Select the Certificate Template you created to create a new certificate.
        3. Once it is created, you will now be able to select it as a Certificate in IIS and follow below.



    PHASE 2: Setup IIS


    You have 2 options, use IIS or the Configuration Wizard. If you do not need to run the Configuration Wizard, skip to use the IIS method instead.


    A: Set Web Server Certificate using Configuration Wizard

    This is preferred if you setup the certificate prior to the Running the Configuration Wizard.

    1. Select Enable HTTPS
    2. Select the Certificate Name of the Server, make sure you see the check-mark.
    3. Let the wizard run



    B: Set Web Server Certificate using IIS

    Note: After having completed the Domain Certificate Steps

      1. In IIS, expand out the Server and Sites.
      2. Select Solarwinds NetPerfMon
      3. Right Click and select Edit Bindings
      4. Select Add
      5. Change Type to https (you can remove http)
      6. IP Address should be set to All Unassigned
      7. Port 443
        1. Note: You may be required to enter the Fully Qualified name into the Host Name field. This is due to GPO requirement set.
        2. Note: Do not select Require Server Name Identification, it can block login. Do not change unless known its required to be set, instructed, or exhausted all other causes to login failure.
      8. SSL Certificate select the certificate Friendly Name



    Secure the Site for Authentication Access

    Authors' Note: IIS Manager when you first connect also shows also has Authentication, this is a Global setting, the steps are for just the site. Global Authentication should not be modified unless having issues with authenticating users, in which case have the Global match the site.

      1. Expand the Sites folder to SolarWindsNetPerfMon.
      2. Under IIS, select Authentication.
      3. Disable Anonymous Authentication.
        • When a user goes to the site, and the card is prompted. When Disabled & SSL set to Require, if user attempts to login, they see the smart card popup and hit cancel, the page fails with 403 Forbidden. If you want to have the login screen as a fallback, keep enabled.
      4. Disable Forms Authentication.Note: If your environment requires forms authentication, attempt these configuration changes with forms authentication enabled.
      5. Enable Windows Authentication.
      6. Click the back button on the top of the screen to return to the SolarWindsNetPerfMon Home view.
      7. The next setting is where Smart Card is Enabled/Disabled.
        • Click SSL or SSL Settings.
        • Click Require SSL.
        • Apply at the top Right.
          • Client Certificate option explanation:
            • Ignore:  (Not Recommended) I do not have smart Card or a certificate to the user setup at the moment.
            • Accept:  (Recommended If User Login Fails) Change this setting to Accept for testing of functionality. Test User both on a workstation, and on the server Locally (Dameware MRC and Microsoft RDP both support sending the Smart Card data to the remote System). It needs to be on Required for full functionality.
            • Required (Recommended Setting for full compliance)


    Testing to make sure it all works.

      1. Navigate to the Orion SSL website. Use https://<SSLCertificateFriendlyName>/
      2. You will see a Certificate Popup (based on SSL Settings), select the User Certificate.
      3. It should then prompt for Card & PIN
        • If you encounter any Errors here, see Below.
      4. You are now in the Web Console as the User selected.
      5. You should now be at the Summary Screen.
        1. If a certificate error is showing up, or you see a Red X, the name of the certificate does not match the url entered. Click on the Certificate and the "Issued To:" will tell you the URL to use.
        2. If the Certificate shows as a Lock in the browser, you are good to go.


    PHASE 3: Optional, Additional Configuration


    Default Alert & Report URL Change

    Note: Technically Optional: SQL Server database change to reflect SSL enabled and new URL

    Note: Only for when the URL is not the fully qualified name of the Server.


    You may see the following errors when selecting a URL link

    • Your connection is not private
    • The issue is that the URL link goes to the Hostname, not the FQDN Name the Certificate Uses. This section re-mediates this problem.
      1. Log on to your Orion server.
      2. Click Start > All Programs > SolarWinds Orion > Advanced Features > Database Manager. (elevated privileges are required to access this application)
      3. Click Add Default Server.
      4. Expand your Orion database in the left pane. Default Database names will be SolarwindsOrion or NetPerfMon.
      5. Right-click the Websites table, and then click Query Table.
      6. Select Execute.
      7. Next you are going to reference back to the SSL Certificate Friendly Name, this name will go into the <ServerName> Field.
        1. If you do not know, do not update this column.
      8. Replace the default query with the following query:UPDATE Websites SET FQDN='', ServerName='', Port='443', SSLEnabled=1 WHERE Type='primary'
      9. Click Execute Query.
      10. Right click on the Websites Table again and select Query Table, and Select Execute query.
      11. Make sure that the Server Name appears as correct, and a Port is set and if SSL is to be required that it is set to 1.
      12. Make sure to Restart the Service Solarwinds Information Service v3 so that the Alerting and Reporting System will utilize this new URL for all actions. The Orion Web Link in the start menu will be updated at this same time.
      13. Click Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
      14. Select Solarwinds Information Service v3, and select Restart or Stop then Start.
      15. You can verify by selecting the Orion Web Console link under Start.
      • Internet Explorer: Red X, There is a problem with this website’s security certificate.
      • Google Chrome: Your Connection is not private message
      • Firefox: Untrusted Connection or Your Connection is Untrusted
    • If the SSL Certificate shows as invalid or has a Red X, Export to PDF and Reports may not function correctly. Friendly Name needs to match URL.
    • If you only see a white screen after these steps, you may have missed some steps. Please refer back to Require SSL and change it back to Accept. The Web Console will load as before. If Accept does not work, change to Ignore, but there may be an underlying issue the IIS error in the logs.




    Smart Card Troubleshooting


    Configuration Wizard Reports Web Request for /Orion/Login.aspx failed


    The Configuration Wizard used to erroneously report Web Request for /Orion/Login.aspx failed. This should have been resolved with the Ignore this message in Configuration Wizard, it still works. This is due to the Authentication and SSL change in Phase I setup.


    If you believe that this is an issue, you can go into C:\ProgramData\SolarWinds\Logs\Orion\ConfigurationWizard.log. Search for Web Request for /Orion/Login.aspx failed. The same line may report No connection could be made because the target machine actively refused it, this means that Port 80 http is not available because that was the port set in Configuration Wizard. Rerun the Configuration Wizard, select SSL for the website, ensure it is Port 443 and the error should be gone.


    Issues with Site Certificate:

    Phase 1 configuration problem

      • If you are seeing the following problems, these are all related to the SSL Certificate Friendly Name not matching the URL, or there is no CA trust. Please re-create the certificate to match the URL that all users will be connecting.
          • Internet Explorer: Red X, There is a problem with this website’s security certificate.
          • Google Chrome: Your Connection is not private message
          • Firefox: Untrusted Connection or Your Connection is Untrusted
        • If the SSL Certificate shows as invalid or has a Red X, Export to PDF and Reports may not function correctly. Friendly Name needs to match URL.

    If you only see a white screen after these steps, you may have missed some steps. Please refer back to Require SSL and change it back to Ignore. The Web Console will load as before.


    Issues with User authentication accessing the login site:

    When Troubleshooting, it is best to use Internet Explorer. IE gets all CA information from the Domain, it usually is set to automatically authenticate with the logged in user. This covers User Authentication issues and nuances based on the various settings available.

    Note: This is a ever growing area, as you stray away from the default configuration, these nuance issues have been identified as different settings were changed and tested.



    User Logs in, cancel at the Certificate popup or select certificate and cancel before PIN authentication

    • Somehow the user is logged in under the AD login to the web console:

                 Change SSL Setting is currently accept, change to Require.

    • Web Console is showing as a blank screen.
      • Go to the Check Internet Explorer Browser settings. Skip Steps 2-5. User authentication is incorrectly set to Anonymous or Prompt for Username & Password.
    • I get a popup for AD authentication, or I go to the Login screen and see the Login page but with the Solarwinds Logo as an X.
      • Currently Login is set as Automatic Login only in Intranet Zone. Change to Automatic Login with Current User Name and Password.


         User cannot select the certificate popup? Which Browser is used to login?

                        Internet Explorer works always, chrome yes. Check your browser to see if it has its own Certificate Authoritative area outside of the OS. Firefox does this.



    I attempt to login like the instructions stated, why am I not authenticating through?

              So this is where you need to make sure that IIS is not denying you, AND the OS or Group Policy is not blocking the account authentication.User is Required Interactive Logon for this system. Please see Solarwinds NetPerfMon Website IIS Error Code Reference Guide


    After I enter my PIN, I get prompted for my account Login for Username Password.

              Windows Account Automatic Logon is not Enabled

              Go into Settings> Web Console Settings> Windows Account Login set to Enable Automatic Login; Select Submit at the bottom.

              Or under Configuration Wizard> Website also includes the automatic logon option




    General Browser Troubleshooting

    When Diagnosing more general user issues, please follow this guide to help to ensure that the site is tied to the correct security, and that the system is being authenticated properly


    Google Chrome/Opera/Vivaldi: Follow Internet Explorer browser instructions.


    Microsoft Internet Explorer:

    1. IE 10 and newer: Select the Alt Key to bring up the Menu, then select File> Properties
    2. Look for Zone of the Solarwinds Site to know what the user is using under Security Zone, this is needed for Step 5
    3. Select the Gear or Settings> Internet Options
    4. Select the Security Tab
    5. Select the Zone that was seen in Step 2 and select Custom Level.
      1. You can promote the site to Trusted for better security
        1. Select Trusted Sites
        2. Select Sites
        3. Select Add
        4. Enter in the URL, or *.Domain
        5. Select Close
    6. Scroll to the bottom, last option is User Authentication.
      1. If the User only has 1 certificate and wants it auto-selected. This will login the account that they are logged on the OS with.
        1. Select Automatic Logon with current user name and password
      2. If the User wants to select and have a choice for certificates.
        1. Select Prompt for User name and Password
    7. Refresh or restart browser. You may need to Clear Cache and/or SSL State for the change to take effect.


    Mozilla Firefox:

    1. In the Firefox address bar, enter about:config.
    2. A warning will show up, select accept
    3. In the Filter field, enter security.enterprise_roots.enabled
      • Firefox versions before 49 will use the setting: network.automatic-ntlm-auth.trusted-uris. In the Enter string value window, enter comma-separated list of the URLs of the Orion Web Consoles to which you want to enable AD access, as shown in the following: https://OrionServer1,http://OrionServer2
    4. Double-click the Preference Name listed security.enterprise_roots.enabled, it should change from False to True
    5. Click OK.
    • Note: You can just refresh the page, and authentication will occur as normal, no restart was required