Our web console is on a remote server in forest A using Windows Authentication. All SCOM components are in forest A (except gateways). We have additional users in forest B and forest C. Full transitive trust between forests. Forest A and B users can logon to the web console, but forest C users cannot. I don't get any messages denying access, the logon prompt just comes back. I've verified this behavior with a couple of different accounts. Don't see any error messages in the web console event logs. Is web console logon logged in any way? Any ideas on where to look for resolutions?

I checked the security logs on the web console and I see a succesful logon message for the Forest C account (Type SuccessA EventID: 540). So why do I keep getting the prompts for these guys but not other forest dwellers?

I checked the security logs on the web console and I see a succesful logon message for the Forest C account (Type SuccessA EventID: 540). So why do I keep getting the prompts for these guys but not other forest dwellers?

- check whether the forest C users have scom user rights (i suppose they have). - check the iis logs on the webconsole server. (if the webconsole server is not the rms you need to set up the webserver for the double kerberos hop scenario, but i suppose you have done this since forest A/B users can access the console). Rob Korving http://jama00.wordpress.com/

- check whether the forest C users have scom user rights (i suppose they have). - check the iis logs on the webconsole server. (if the webconsole server is not the rms you need to set up the webserver for the double kerberos hop scenario, but i suppose you have done this since forest A/B users can access the console). Rob Korving http://jama00.wordpress.com/

- check whether the forest C users have scom user rights (i suppose they have). - check the iis logs on the webconsole server. (if the webconsole server is not the rms you need to set up the webserver for the double kerberos hop scenario, but i suppose you have done this since forest A/B users can access the console). Rob Korving http://jama00.wordpress.com/ Ah yes, the IIS logs. Looking at them I don't see any errors jumping out at me. When I try to login with forest C user, I keep getting the logon prompt back, I don't get any actual access denied. When I change to forest B user, I logon and get to the web console. The accounts have rights to SCOM, I can logon to other forest A resources with both forest B and C accounts. Not sure what to look for here. When I use the forest C account (CCC) it keeps coming back to the logon prompt. When I use the forest b account (BBB) it moves on. I do see sucessful logon in eventvwr security log for both B and C. 2011-05-12 12:45:43 W3SVC2 192.168.1.111 GET /default.aspx - 51908 CCC\test_user 192.168.194.138 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+MS-RTC+LM+8;+InfoPath.2;+MS-RTC+EA+2) 302 0 0 2011-05-12 12:45:43 W3SVC2 192.168.1.111 GET /login.aspx ReturnUrl=%2fdefault.aspx 51908 CCC\test_user 192.168.194.138 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+MS-RTC+LM+8;+InfoPath.2;+MS-RTC+EA+2) 401 5 0 2011-05-12 12:45:59 W3SVC2 192.168.1.111 GET /login.aspx ReturnUrl=%2fdefault.aspx 51908 - 192.168.194.138 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+MS-RTC+LM+8;+InfoPath.2;+MS-RTC+EA+2) 401 1 0 2011-05-12 12:45:59 W3SVC2 192.168.1.111 GET /login.aspx ReturnUrl=%2fdefault.aspx 51908 CCC\test_user 192.168.194.138 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+MS-RTC+LM+8;+InfoPath.2;+MS-RTC+EA+2) 401 5 0 It just keeps looping here until I change the user. 2011-05-12 12:47:50 W3SVC2 192.168.1.111 GET /default.aspx - 51908 - 192.168.194.138 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+MS-RTC+LM+8;+InfoPath.2;+MS-RTC+EA+2) 401 2 2148074254 2011-05-12 12:47:52 W3SVC2 192.168.1.111 GET /default.aspx - 51908 BBB\test_user 192.168.194.138 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+MS-RTC+LM+8;+InfoPath.2;+MS-RTC+EA+2) 200 0 0 2011-05-12 12:47:52 W3SVC2 192.168.1.111 GET /Common/MainStyles.css - 51908 - 192.168.194.138 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506.30;+MS-RTC+LM+8;+InfoPath.2;+MS-RTC+EA+2) 401 2 2148074254

Hi, I noticed the code 401 which means “Access denied” in the log. Please refer to the following Knowledge Base articles to check the issue: The HTTP status codes in IIS 7.0 http://support.microsoft.com/kb/943891 Troubleshooting HTTP 401 errors in IIS http://support.microsoft.com/kb/907273 Please disable the option “Show Friendly HTTP Error Messages” in Internet Options and see if there is any error. If so, please let us know the details. Meanwhile, I would like to share the following with you for your reference: Common Issues with the OpsMgr Web Console http://blogs.technet.com/b/kevinholman/archive/2010/04/07/common-issues-with-the-opsmgr-web-console.aspx Hope this helps. Thanks. Nicholas Li - MSFT Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

From the IIS status code your are getting: 401.5 - Authorization failed by ISAPI/CGI application. AND 401.2 - Logon failed due to server configuration. To rule out ntfs issues on some files, could you add the test user to the local users group of the webconsole server? if that's works ok, most likely you need to make sure the domain C users have read access to the files of the website. Rob Korving http://jama00.wordpress.com/

From the IIS status code your are getting: 401.5 - Authorization failed by ISAPI/CGI application. AND 401.2 - Logon failed due to server configuration. To rule out ntfs issues on some files, could you add the test user to the local users group of the webconsole server? if that's works ok, most likely you need to make sure the domain C users have read access to the files of the website. Rob Korving http://jama00.wordpress.com/

From the IIS status code your are getting: 401.5 - Authorization failed by ISAPI/CGI application. AND 401.2 - Logon failed due to server configuration. To rule out ntfs issues on some files, could you add the test user to the local users group of the webconsole server? if that's works ok, most likely you need to make sure the domain C users have read access to the files of the website. Rob Korving http://jama00.wordpress.com/ Tried that, getting the same errors.

From the IIS status code your are getting: 401.5 - Authorization failed by ISAPI/CGI application. AND 401.2 - Logon failed due to server configuration. To rule out ntfs issues on some files, could you add the test user to the local users group of the webconsole server? if that's works ok, most likely you need to make sure the domain C users have read access to the files of the website. Rob Korving http://jama00.wordpress.com/ Tried that, getting the same errors.