You may come across different issues at different times when you working with the Nomad Dashboard. Some of the common errors are

Error 500

The Nomad Dashboard, Nomad Sync and Nomad Pre-cache features rely on an SQL linked server connection between the ActiveEfficiency database and the Configuration Manager Database.  When the Configuration Manager database, Active Efficiency database and Active Efficiency service are installed on three separate servers, SPN registration and Account delegation must be properly configured in Active Directory to allow the ActiveEfficiency service to obtain information from the Configuration Manager database through the linked server created on the ActiveEfficiency Database server.

This scenario is commonly referred to a double hop and it requires the ActiveEfficiency database service account be allowed to delegate to the Configuration Manager database service.

 

To enable secure delegation the following is required:

  1. Service Principal Names must be registered for each SQL database(Active Efficiency and SCCM) service account. The syntax to list currently registered SPNs is setspn -L <domain\SQL service account>. For example:

    setspn -L lab051\sqlsvc3

     If you need to create an SPN, the syntax for SetSPN.exe is setspn -S MSSQLSvc/SQLServerFQDN:SQLInstance <domain\SQL service account. You can derive the SPN name from the error message, for example:

    setspn -S MSSQLSvc/lab051SQL1.lab051.adw:LINKTEST3 lab051\sqlsvc3
    setspn -S MSSQLSvc/lab051SQL1:LINKTEST3 lab051\sqlsvc3
  2. A Kerberos connection must be possible to each SQL service. Run this query remotely from the SQL server – it should return KERBEROS is the service is configured correctly.

    select auth_scheme from  sys . dm_exec_connections  where session_id= @@spid

    You must run this remotely from the SQL server. If you run this on the SQL Server, it will always return NTLM. You can also use the The Microsoft Kerberos Configuration Manager for SQL Server tool can also be useful in setting up Kerberos authentication for SQL server.

  3. The ActiveEfficiency SQL service account must be trusted to delegate to the Configuration Manager SQL service. In the illustration below, the AESQLService is the Server account under which ActiveEfficiency SQL database service is running, 1ETrainCMPRI is the name of the SCCM primary SQL database server:
  4. If the ActiveEfficiency service is not running under a system account (typically Network Service,) then it must be allowed to delegate. So the highlighted option should NOT be checked: (AEService is the ActiveEfficiency Service account):

  5. Also, make sure that the ActiveEfficiency service account has permission on the Configuration Manager site database. By default, the service account is Network Service, so the ActiveEfficiency server's computer account must be granted access. For standalone primary site environments, permissions are assigned to the ActiveEfficiency service account automatically using the ConfigMgr_DViewAccess Windows local group native to Configuration Manager. For a CAS, this group is not created natively and additional steps are required to allow access.

Other things to note

  • Is the ActiveEfficiency service is running? Open the Services.log and WebService.log to check the health of the ActiveEfficiency-Nomad sync. The most common error that we encounter in the logs is:

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'


    This error mean that the Kerberos authentication failed, either becauase the SPN registration or account delegation (as described above) is not correctly set or the ActiveEfficiency service account does not have rights to read Configuration Manager database

  • Is Nomad sync enabled? We can verify that by initiating the Nomad-ActiveEfficiency sync and looking at the Services.log located under C:\Programdata\1E\ActiveEfficiency.
    • To initiate Nomad sync, run:  

      C:\Program Files (x86)\1E\ActiveEfficiency\Service\ ServiceHost.exe  -nomadsyncall

      We should have an entry like below in the Services.log:

      2017-12-16 18:19:57 # 186206433ms [   49]  INFO : Started Nomad sync, type: Modified

      If it's not enabled, the log will display a message that Nomad sync is not enabled.  You can also verify what details were provided for the Configuration Manager database (such as the name of its server and database) during ActiveEfficiency installation, by running the following SQL query against the ActiveEfficiency database:


      select  reporting . GetCMServerName ()
      select  *  from  sys . servers  where  name = 'ConfigMgrLink'


No data available

The Nomad Dashboard uses the RBAC lists from Configuration Manager to determine if a user can view data in the Nomad Dashboard tiles. If a user has not been granted rights in Configuration Manager or if ActiveEfficiency is unable to determine the users permissions in Configuration Manager, Active Efficiency will not display any data in the Dashboard tiles.

In order for users to view data in the Dashboard tiles, users must be granted these permissions:

Object classes

Actions

Application

Read 

Boot Image Package

Read 

Collection

Read, Read Resource

Driver Package

Read 

Operating System Image

Read 

Operating System Upgrade   Package

Read 

Package

Read 

Software Updates

Read 

Status Messages

Read 

Task Sequence Package

Read 

Update Packages

Read 

 Other notes

  • The Active Efficiency Service account is unable to query group membership in AD. Under normal circumstances this should not be an issue as the service account will have this ability unless it has been explicitly denied. However, Active Efficiency 1.9.500 did experience a problem where occasionally the Active Efficiency service account would be unable to obtain all of the group membership for an account from Active Directory. This was fixed in Active Efficiency 1.9.600
  • User accessing the Nomad Dashboard is a member of multiple groups which have been granted rights in Configuration Manager. This was fixed in Fixed in Active Efficiency 1.9.600
  • User accessing the Nomad Dashboard is a member of an accounts domain that differs from the Domain the Active Efficiency server is in. This was fixed in Active Efficiency 1.9.800


Prompting for credentials

Windows Security prompts for user name and password when accessing the Nomad Dashboard from within the ConfigMgr console (Monitoring, Overview, 1E Nomad, Dashboard) or directly via the Nomad Dashboard web site ( http://ActiveEfficiency server name/ActiveEfficiency/NomadDashboard ).

If no valid user name and/or password is provided, the Nomad Dashboard tiles do not display data and error 401 is returned. When a valid user name and password is provided in the Window Security window, Nomad Dashboard starts and load the tiles successfully.

The common cause is the Nomad Dashboard Website is not added to the Local Intranet web site list in the web browser on the system running the ConfigMgr console with the Nomad Dashboard feature enabled or on the server/client accessing the Nomad Dashboard web site (https//ActiveEfficiency server name/ActiveEfficiency/NomadDashboard) directly from a web browser.

To mitigate this, on the system running the ConfigMgr console with the Nomad Dashboard feature enabled or on the server/client accessing the Nomad Dashboard web site (https//ActiveEfficiency server name/ActiveEfficiency/NomadDashboard):

  1. Open your web browser such as Internet Explorer.
  2. On Internet Explorer, click on Tools, Internet Options, Security tab, Local Intranet, Sites.
  3. Add the Nomad Dashboard web site to the Website list.  
  4. Click Close followed by OK.

The procedure above may vary from different types of Web browsers. The URL added to the Local Intranet zone must exactly match the URL used by the Configuration Manager console or you should add a URL using both the FQDN name and NetBIOS name of the Active Efficiency server. This is a per user setting and will need to be configured for each user accessing the dashboard.

It is also possible that Windows Authentication is not enabled on IIS on the Active Efficiency Website. If it is not, ensure Windows authentication is installed and enabled on the ActiveEfficiency Website