Author's Note: This documentation is valid for Orion Core 2010.1 to Orion Core 2016.2. This document Legacy is not being maintained.
For Orion Core 2017.1, please see SETUP SMART CARD (CAC/PKI) USER AUTHENTICATION FOR ORION WEB CONSOLE . SSL configuration has been built into the Configuration Wizard in Orion 2017.1, new document has new changes.
PURPOSE: This a Start to Finish how to setup SSL for Self Signed, Domain Certificate or from Root CA, and setup and troubleshoot Smart Card Authentication Setup and Login.
ISSUE: The Orion web console needs to first setup SSL on the Web Console for Secure connection.
RESOLUTION: Follow these steps to enable Smart Card authentication
Designed For Windows Server 2008 R2, 2012, and 2012 R2.
PREREQUISITES: Please make sure that you have the following setup prior to this document
Note: After this KB is enabled, please remember that the next time that you run the configuration Wizard, in the Website Settings select Skip HTTP Binding. If you forget to do this (this is included in the documentation below), Secure the Site for Authentication Access and Phase II will need to be redone.
Go into IIS:
Create a Domain Certificate (if you have a valid CA in the Domain, use this option)
Create a Self-Signed Certificate (select if the system is not on the domain)
Having completed the Self-Signed or Domain Certificate Steps
Secure the Site for Authentication Access
Phase II: SQL Server database change to reflect SSL enabled and new URL
Configure the Orion database to allow SSL
Known Issue Note: Orion Core 2015.1.3 currently has a bug where if you run the Configuration Wizard on Web Console, or if you upgrade or add a module the original non-SSL site will re-enabled (steps 1-14 below)
Phase III: Testing to make sure it all works.
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
At any time, the USG may inspect and seize data stored on this IS.
Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
This IS includes security measures (e.g., authorization and access controls) to protect USG interests--not for your personal benefit or privacy.
Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, pyschotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
At this moment we do not have any direct documentation as to how to modify the IIS Site to show UnClassified, Confidential, Secret Classified, TS/SCI for the DoD Banner at the top. I have had a few customers set DoD Classification Bar at the Top over the years, and when I receive information as to how this can be accomplished, this area will be updated.
Configuration Wizard Reports Web Request for /Orion/Login.aspx failed
The Configuration Wizard will from here on erroneously report Web Request for /Orion/Login.aspx failed. Ignore this message in Configuration Wizard, it still works. This is due to the Authentication and SSL change in Phase I setup.
If you believe that this is an issue, you can go into C:\ProgramData\SolarWinds\Logs\Orion\ConfigurationWizard.log. Search for Web Request for /Orion/Login.aspx failed. The same line may report No connection could be made because the target machine actively refused it 127.0.0.1:80, this means that Port 80 http is not available. You can enable Port 80 http to have this error disappear.
From Phase I:
From Phase III
If the user cannot select the Certificate or it does not prompt, it is due to browser settings
Mozilla Firefox: (only needed if it fails)
These instructions are adapted from "Enabling NTLM Authentication (Single Sign-On) in Firefox".
Everyone else can login except for a few users
User is required Interactive Logon for this system.
If the user sees the above Error, Group Policy has blocked the user from accessing the System. IIS leverages the same Authenticate access as if a user was logging into the system.
After I enter my PIN, I get prompted for my account Login for Username Password.
Enable Windows Account Automatic Logon.
Go into Settings> Web Console Settings> Windows Account Login set to Enable Automatic Login; Select Submit at the bottom.
If you repeat the above step after running the Configuration Wizard, follow the steps under Setup Configuration Wizard for the next use.
I cannot add any users to the Web Console. Our Domain is configured with enforcing Smart Card Logon for all Users and I cannot provide a Username or Password to search Active Directory.
Please reference the following HotFix Link to resolve:
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.