...building hybrid clouds that can support any device from anywhere
Following up from the Installing and configuring Windows Azure Pack (WAP) series we are now at the point where we want to reconfigure server names and ports as well as assigning trusted certificates to my WAP Portals.
Blog post in the series are:
In this blog post we will look at how you can change portal names and ports for the Tenant and Admin portals in WAP.
Once that is done we are going to issue certificates from an Enterprise CA to the Admin portal as well as issuing a certificate to the Tenant Portal. As I don't have a Public CA Certificate I'm going to use one from my Enterprise CA, but the concept for a Public CA is exactly the same as if I was using certificates from a trusted CA like VeriSign or similar.
Figure 1: Windows Azure Pack Tenant Portal
Windows Azure Pack has different components which serve various functions.
By looking at the roles being installed on a WAP Server for an express install, we can see a long list of Web Services running on the WAP Server.
These different Web Services provide various roles within the WAP Infrastructure
In this blog post scenario, we will be working with the following Web Services:
Figure 1: List of Web Sites (roles) running on a WAP Server (Express install)
Figur 2: WAP Infrastructure example
When a tenant accesses the WAP Tenant portal (exposed to the Internet) they will be redirected to the WAP Tenant Authentication Service to validate if the user is allowed to access the system, once the WAP Tenant Authentication service has validated the user, it will be redirected back to the WAP Tenant portal with access to WAP services. The tenant authentication service uses claim based authentication and can use different authentication methods like ADFS or .Net. In this scenario we are using default authentication (.Net), in the following three blog posts Shri from the WAP Product team will explain how you can change the WAP tenant authentication service to make use of ADFS.
In the PoC setup these services are running on the same server (WAP01.contoso.com) as shown on "figure 1".
A similar scenario happens when a WAP Administrator accesses the WAP Admin portal (only accessible on the internal network), the WAP admin portal will redirect the admin to the WAP Admin Authentication service which by default uses Windows Authentication. Once Windows Authentication service has authenticated the user, the user is redirected back to the WAP Admin portal with access to WAP.
After Installing and configuring Windows Azure Pack with the basic settings for the Contoso.com proof of concept (PoC), the next steps are to configure the following:
The Servers are configured as follows:
Active Directory, ADFS, Certificate Server
Windows Azure Pack
Windows Azure Pack Express Install
Service Provider Foundation
SQL Instance hosting the WAP databases
Virtual Machine Manager
Virtual Machine Manager 2012 R2 managing one Hyper-v host
The portals DNS names will be renamed to the following:
Disclaimer: This environment is meant for testing only. This should not be considered guidance for production use, as several decisions made in this blog post are not targeting a production environment.
As the two WAP Portals by default (in our proof of concept) are installed with https://wap01.contoso.com:30081 for the Tenant Portal and https://WAP01.contoso.com: 30091 for the Admin Portal we want to change these to use more portal friendly names.
To do this we need to do the following:
To create new DNS records do the following:
Figure 3: Creating a new A-record in DNS manager
Figure 2: List of DNS records in DNS Manager.
In order to use CA signed certificates in our PoC environment we need to do the following:
To install a CA Server do the following steps:
Do the following to configure the newly installed CA Server:
Figure 3: Configuring CA Server in Server Manager
Figur 4: CN Names for the CA Server
Greg from CAT has created a blog post which describes how the certificate can be automated. The blog post can be found here: Automating Active Directory Certificate Services with Windows PowerShell – Part 1.
The manual steps will be described below:
To issue certificates for the WAP Services the following steps needs to be done:
Figure 5: Certificate request from IIS Manager
Figure 6: Certificate list in IIS Manager
We now have a web certificate, which we can use for the WAP Admin Portal.
Figure 7: WAP Certificates in IIS Manager
The following steps needs to be done in order to change ports and certificates for the admin portal.
Figure 8: IIS Certificate list for Web Site Bindings
The following steps needs to be done in order to change ports and certificates for the tenant portal.
The TechNet documentation can be found here: Reconfigure FQDNs and Ports in Windows Azure Pack
To update WAP with our modifications the following commands needs to be executed, where we will use the values used in the scenario.
We will be using the following arguments while executing the commands:
WAP Database Server: db02.contoso.com
WAP Database user: sa
Admin Portal FQDN: wapadmin.contoso.com
Admin Portal Port: 443
Admin Auth Service: wap01.contoso.com:30072
To update the modification made to WAP Services in the WAP database do the following.
Import-Module -Name MgmtSvcConfig
Set-MgmtSvcFqdn -Namespace "AdminSite" -FullyQualifiedDomainName "wapadmin.contoso.com" -Port 443 -Server "db02"
Set-MgmtSvcRelyingPartySettings –Target Admin –MetadataEndpoint 'https://wap01.contoso.com:30072/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString "Data Source=db02.contoso.com;User ID=sa;Password=*******"
Set-MgmtSvcIdentityProviderSettings –Target Windows –MetadataEndpoint 'https://wapadmin.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString "Data Source=db02.contoso.com;User ID=sa;Password=********"
The following attributes are used for configuring the WAP Tenant Portal.
Tenant Portal FQDN: wapcloud.contoso.com
Admin Auth Service: wapcloud.contoso.com:444
To update the tenant portal do the following:
Set-MgmtSvcFqdn -Namespace "TenantSite" -FullyQualifiedDomainName "wapcloud.contoso.com" -Port 443 -Server "db02"
Set-MgmtSvcFqdn -Namespace "AuthSite" -FullyQualifiedDomainName "wapcloud.contoso.com" -Port 444 -Server "db02"
Set-MgmtSvcRelyingPartySettings –Target Tenant –MetadataEndpoint 'https://wapcloud.contoso.com:444/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString "Data Source=db02.contoso.com;User ID=sa;Password=********"
Set-MgmtSvcIdentityProviderSettings –Target Membership –MetadataEndpoint 'https://wapcloud.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString "Data Source=db02.contoso.com;User ID=sa;Password=********"
To verify that the modification works do the following:
Pre-requisite: As we don't have a public certificate for our PoC setup we are going to install the CA certificate on the computers in the Trusted Certificates store from where we will access the WAP Portals.
Verify that the WAP Admin Portal loads using the new URL
Figure 9: Updated URL in the WAP Admin Portal
Figure 10: Updated URL in the WAP Tenant Portal
Figure 11: Updated URL in the WAP Tenant Portal
The goal with this blog post was to show how it's possible to reconfigure portal names, ports and use trusted certificates after deploying the Windows Azure Pack.
In the blog post we did the following
In the next three blog posts Shri from the WAP Product team will walk you through how to configure ADFS with Windows Azure Pack.
Happy building your PoC environment for Windows Azure Pack.
Thanks alot for this post. I could not get the metadataendpoint to work om port 443. After digging around in the config for a few hours i still keep getting the HTTP 503 error on the following URL /federationmetadata/2007-06/federationmetadata.xml. I finnaly found the following KB : http://support.microsoft.com/kb/2696987.
Doing the following did the trick :
netsh http delete urlacl url=https://+:443/FederationMetadata/2007-06/
Really grateful for this best practice existence.. thank you !But, i have a question..I have followed this best practice, but i stuck in the following copied-text,6. Re-establish trust for the Tenant SiteSet-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint 'auth.skyhost.com/.../FederationMetadata.xml& -Server "your portal DB server" -UserName "your portal DB server admin user" -Password "your portal DB server admin user password"I don't have the federationmetadata.xml...Could you help me to find out it?Is federationmetadata.xml generated when i install active directory federation services? Or maybe can find out it from somewhere?Thank you...Warm regards,Widi Hong
Hi Widi HongThis blog post only deals with how you can change your WAP Web services to use other names and ports. This does not configure ADFS integration. The blog posts linked in the start og this blog post tells how this can be archived using ADFS. The XML file you are referencing would be located on the server where you installed the default ,net auth for WAP (Web service. By default this uses port 30074, but if you change this port you would have to update WAP to know where to go for the auth request. Again this is out of the box before you configure ADFS.Hope this makes sense.ThanksAnders
Need some help here please.
I get an error on the Tenant Site while running:
Set-MgmtSvcRelyingPartySettings –Target Tenant –MetadataEndpoint ‘https://xxxauth.com:443/FederationMetadata/2007-06/FederationMetadata.xml‘ -ConnectionString “Data Source=xxx;User
Set-MgmtSvcRelyingPartySettings : CData elements not valid at top level of an XML document. Line 1, position 3.
At line:1 char:1
+ Set-MgmtSvcRelyingPartySettings –Target Tenant –MetadataEndpoint ‘https://xxx ...
+ CategoryInfo : NotSpecified: (:) [Set-MgmtSvcRelyingPartySettings], XmlException
+ FullyQualifiedErrorId : System.Xml.XmlException,Microsoft.WindowsAzure.Config.PowerShell.Claims.SetRelyingPartyS
as a note, the following run fine:
Set-MgmtSvcFqdn -Namespace "TenantSite" -FullyQualifiedDomainName "xxx.com" -Port 443 -Server "xxx.priv"
Set-MgmtSvcFqdn -Namespace "AuthSite" -FullyQualifiedDomainName "xxx.com" -Port 443 -Server "xxx.priv"
Set-MgmtSvcIdentityProviderSettings –Target Membership –MetadataEndpoint ‘https://xxx.com:443/FederationMetadata/2007-06/FederationMetadata.xml‘ -ConnectionString “Data Source=xxx;User
created host records to resolve IPs for external records (since i havet publish via Public IP until i get everything working internally)
Windows Azure Pack v2
thanks in advance