RESOLUTION: Follow these steps to enable Smart Card authentication

            Designed For Windows Server 2008 R2, 2012, and 2012 R2.

PREREQUISITES: Please make sure that you have the following setup prior to this document

1. Add at least 1 Active Directory account to the Web Console before attempting. Once all steps are enabled, the Admin account will not be able to login.
2. Automatic Logon is enabled, or you run through the Setup Configuration Wizard for the next use steps.

Note: After this KB is enabled, please remember that the next time that you run the configuration Wizard, in the Website Settings select Skip HTTP Binding. If you forget to do this (this is included in the documentation below), Secure the Site for Authentication Access and Phase II will need to be redone.

Phase I: SSL Certificate Setup

Go into IIS:

1. Go into Start> Control Panel> Administrative Tools> Internet Information Services (IIS) Manager
2. Select the Server
3. Select Server Certificates

Create a Domain Certificate (if you have a valid CA in the Domain, use this option)

1. On the Right under Actions, Select Create Domain Certificate.
2. Enter Common Name (should be the hostname or the fully qualified name that the users will connect)
   1. Should be the hostname or the fully qualified name that the users will connect
   2. Required to match the name of the Web URL for all functions to work
3. Fil in Organization, Organizational Unit, City, State and Country. This information does not need to be perfectly correct.
4. Select Next
5. Select the Select button and select the Certificate Authority.
   1. If you do not see anything to select, please create a Self-Signed Certificate.
6. Enter a Friendly Name
   1. This name will be accessed under Set Web Server Certificate’s Step 8.

      Create a Self-Signed Certificate (select if the system is not on the domain)

1. On the Right under Actions, Select Create Self-Signed Certificate.
2. Enter Friendly Name
   1. Should be the hostname or the fully qualified name that the users will connect
   2. Note that Self-Signed will almost always show a certificate issue, due to a lack of a trust relationship

Having completed the Self-Signed or Domain Certificate Steps

1. In IIS, expand out the Server and Sites.
2. Select Solarwinds NetPerfMon
3. Right Click and select Edit Bindings
4. Select Add
5. Change Type to https
6. IP Address All Unassigned
7. Port 443
8. SSL Certificate select the certificate Friendly Name

Secure the Site for Authentication Access

1. Expand the Sites folder to SolarWinds NetPerfMon.
2. Under IIS, select Authentication.
3. Disable Anonymous Authentication.
4. Disable Forms Authentication.
   Note: If your environment requires forms authentication, attempt these configuration changes with forms authentication enabled.
5. Enable Windows Authentication. (may be enabled already)
6. Click the back button on the top of the screen to return to the SolarWinds NetPerfMon Home view.
7. Click SSL or SSL Settings.
8. Click Require SSL.
9. Click Required under Client Certificates, then apply at the top Right.
10. In Internet Explorer, click Tools -> Internet Options, and then add the Orion web site to the Local Intranet and Trusted Sites.
11. Set browser to Orion https target
12. Use https://<SSLCertificateFriendlyName>/Orion/Login.aspx to navigate to the Orion SSL website.
    1. If a certificate error is showing up, or you see a Red X, the name of the certificate does not match the url entered. Click on the Certificate and the "Issued To:" will tell you the URL to use.
    2. If the Certificate shows as a Lock in Internet Explorer or Green in Chrome and Firefox, you are good to go.
       
13. After you select the Certificate and login, you will notice that the login screen may still show up. This is because Automatic Windows Logon needs to enabled.
    1. After logging in, go into Settings> Web Console Settings, Windows Account Login set to enable automatic login, then select Submit.
       

Phase II: SQL Server database change to reflect SSL enabled and new URL

Configure the Orion database to allow SSL

1. Log on to your Orion server using an account with administrative rights.
2. Click Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
3. Click Shutdown Everything.
   Note: It may take a few minutes to stop all services.
4. Click Start > All Programs > SolarWinds Orion > Advanced Features > Database Manager.
5. Click Add Default Server.
6. Expand your Orion database in the left pane. Default Database names will be SolarwindsOrion or NetPerfMon.
7. Right-click the Websites table, and then click Query Table.
8. Select Execute.
9. Next you are going to reference back to the SSL Certificate Friendly Name, this name will go into the <ServerName> Field.
   1. If you do not know, do not update this column.
10. Replace the default query with the following query:
    UPDATE dbo.Websites SET ServerName=’<ServerName>’, Port=’443’ SSLEnabled=1 WHERE Type=’primary’
11. Click Execute Query.
12. Right click on the Websites Table again and select Query Table, and Select Execute query.
13. Make sure that the Server Name appears as correct, and a Port is set and if SSL is to be required that it is set to 1.

Phase III: Update Solarwinds Services to the new URL

1. Now you will restart the services so that the Alerting and Reporting System will utilize this new URL for all actions. The Orion Web Link in the start menu will be updated at this same time.
2. Click Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
3. Click Start Everything.

If you want to make sure that the next person that runs the configuration wizard does not undo your changes, please run through the wizard one time.

1. Go into Start> Programs> Solarwinds Orion> Configuration and Auto-Discovery> Configuration Wizard
2. Select Website, select Next
3. In the Websites Settings change Windows Authentication to Yes for enable Automatic Login
4. Select the Checkbox to Skip HTTP Binding.
5. Select Next
   1. If any popups show up about a website existing, select Yes.
6. Select Next to start the Wizard, when Optimize Website shows up, select Skip.

Phase III: Testing to make sure it all works.

1. Open a browser on your workstation to the URL.
2. Enter a domain/User that was already added in Orion
3. You should now be at the Summary Screen.

Troubleshoot Issues

Configuration Wizard Reports Web Request for /Orion/Login.aspx failed

The Configuration Wizard will from here on erroneously report Web Request for /Orion/Login.aspx failed. Ignore this message in Configuration Wizard, it still works. This is due to the Authentication and SSL change in Phase I setup.

If you believe that this is an issue, you can go into C:\ProgramData\SolarWinds\Logs\Orion\ConfigurationWizard.log. Search for Web Request for /Orion/Login.aspx failed. The same line may report No connection could be made because the target machine actively refused it 127.0.0.1:80, this means that Port 80 http is not available. You can enable Port 80 http to have this error disappear.

From Phase I:

• If you are seeing the following problems, these are all related to the SSL Certificate Friendly Name not matching the URL, or there is no CA trust. Please re-create the certificate to match the URL that all users will be connecting.
  • Internet Explorer: Red X, There is a problem with this website’s security certificate.
  • Google Chrome: Your Connection is not private message
  • Firefox: Untrusted Connection or Your Connection is Untrusted
• If the SSL Certificate shows as invalid or has a Red X, Export to PDF and Reports may not function correctly. Friendly Name needs to match URL.

From Phase III

If the user cannot select the Certificate or it does not prompt, it is due to browser settings

Internet Explorer:

1. Select the Alt Key to bring up the Menu (IE 10 and newer), then select File> Properties
2. Look for Zone, this is needed for Step 5
3. Select the Gear or Settings> Internet Options
4. Select the Security Tab
5. Select the Zone that was seen in Step 2 and select Custom Level.
   1. You can promote the site to Trusted for better security
      1. Select Trusted Sites
      2. Select Sites
      3. Select Add
      4. Select Close
6. Scroll to the bottom, last option is User Authentication.
   1. If the User only has 1 certificate and wants it auto-selected. This will login the account that they are logged on the OS with.
      1. Select Automatic Logon with current user name and password
   2. If the User wants to select and have a choice for certificates.
      1. Select Prompt for User name and Password
7. Refresh or restart browser. You may need to clear cache for the change to take effect.

Mozilla Firefox: (only needed if it fails)

1. In the Firefox address bar, enter about:config.
2. In the Filter field, enter network.automatic-ntlm-auth.trusted-uris.
3. Double-click the Preference Name listed (network.automatic-ntlm-auth.trusted-uris)
4. In the Enter string value window, enter a comma-separated list of the URLs of the Orion Web Consoles to which you want to enable AD access, as shown in the following:
   https://OrionServer1,http://OrionServer2,https://OrionWANMonitor
5. Click OK.
   Note: You may need to restart Firefox for this configuration to take effect.

                    These instructions are adapted from "Enabling NTLM Authentication (Single Sign-On) in Firefox".

Everyone else can login except for a few users

User is required Interactive Logon for this system.

                        If the user sees the above Error, Group Policy has blocked the user from accessing the System. IIS leverages the same Authenticate access as if a user was logging into the system.

1. Open up Group Policy Manager, whether on the System Directly or through GPO
2. Go into Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
3. Check Security Settings to ensure that accounts are not denied Login Access
   
4. Other Interactive Login Errors can be referenced back to the Event Log on the Solarwinds Server and the Event ID. Use this Microsoft Page to identify what setting is causing the issue based on the Event ID or Message. Interactive Logon Tools and Settings: Logon and Authentication
   

After I enter my PIN, I get prompted for my account Login for Username Password.

          Enable Windows Account Automatic Logon.

          Go into Settings> Web Console Settings>Windows Account Login set to Enable Automatic Login; SelectSubmit at the bottom.

          If you repeat the above step after running the Configuration Wizard, follow the steps under Setup Configuration Wizard for the next use.

I cannot add any users to the Web Console. Our Domain is configured with enforcing Smart Card Logon for all Users and I cannot provide a Username or Password to search Active Directory.

Please reference the following HotFix Link to resolve:

Solarwinds Orion Core: Add Windows account to Web Console when "Force Smart Card logon" is setup on a Forest or Domain