Windows Azure Pack - Reconfigure portal names, ports and use trusted certificates

Windows Azure Pack - Reconfigure portal names, ports and use trusted certificates

  • Comments 33
  • Likes

Following up from the Installing and configuring Windows Azure Pack (WAP) series we are now at the point where we want to reconfigure server names and ports as well as assigning trusted certificates to my WAP Portals.

Blog post in the series are:

In this blog post we will look at how you can change portal names and ports for the Tenant and Admin portals in WAP.

Once that is done we are going to issue certificates from an Enterprise CA to the Admin portal as well as issuing a certificate to the Tenant Portal. As I don't have a Public CA Certificate I'm going to use one from my Enterprise CA, but the concept for a Public CA is exactly the same as if I was using certificates from a trusted CA like VeriSign or similar.

Figure 1: Windows Azure Pack Tenant Portal

 

Architecture:

Windows Azure Pack has different components which serve various functions.

By looking at the roles being installed on a WAP Server for an express install, we can see a long list of Web Services running on the WAP Server.

These different Web Services provide various roles within the WAP Infrastructure

In this blog post scenario, we will be working with the following Web Services:

  • WAP Tenant Portal Service (MgmtSvc-TenantSite): Hosts the WAP Tenant Portal
  • WAP Tenant Authentication Service (MgmtSvc-AuthSite): Hosts the authentication for tenants
  • WAP Admin Portal Service (MgmtSvc-WindowsAdminSite): Hosts the Admin Portal
  • WAP Admin Authentication Service (MgmtSvc-WindowsAuthSite): Hosts the Admin Authentication

 

Figure 1: List of Web Sites (roles) running on a WAP Server (Express install)

Figur 2: WAP Infrastructure example

When a tenant accesses the WAP Tenant portal (exposed to the Internet) they will be redirected to the WAP Tenant Authentication Service to validate if the user is allowed to access the system, once the WAP Tenant Authentication service has validated the user, it will be redirected back to the WAP Tenant portal with access to WAP services. The tenant authentication service uses claim based authentication and can use different authentication methods like ADFS or .Net. In this scenario we are using default authentication (.Net), in the following three blog posts Shri from the WAP Product team will explain how you can change the WAP tenant authentication service to make use of ADFS.

In the PoC setup these services are running on the same server (WAP01.contoso.com) as shown on "figure 1".

A similar scenario happens when a WAP Administrator accesses the WAP Admin portal (only accessible on the internal network), the WAP admin portal will redirect the admin to the WAP Admin Authentication service which by default uses Windows Authentication. Once Windows Authentication service has authenticated the user, the user is redirected back to the WAP Admin portal with access to WAP.

 

Scenario:

After Installing and configuring Windows Azure Pack with the basic settings for the Contoso.com proof of concept (PoC), the next steps are to configure the following:

  • Change WAP portal name.
  • Configure tenant and admin portals to run on port 443 (Https).
  • Replace the self-signed certificates with certificates provided by the enterprise CA (and consequently remove the warnings displayed in Internet Explorer due to the self-signed certificates).
  • Change the WAP Tenant Portal to use an internet facing url.
  • Change the WAP Tenant Authentication site to use the public web address that is also used by the WAP Tenant Portal.

     

The Servers are configured as follows:

Role

Name

Function

Active Directory

DC01.contoso.com

Active Directory, ADFS, Certificate Server

Windows Azure Pack

WAP01.contoso.com

Windows Azure Pack Express Install

Service Provider Foundation

SPF01.contoso.com

Service Provider Foundation

SQL Server

DB02.contoso.com

SQL Instance hosting the WAP databases

Virtual Machine Manager

VMM01.contoso.com

Virtual Machine Manager 2012 R2 managing one Hyper-v host

 

The portals DNS names will be renamed to the following:

  • WAP Admin Portal: wapadmin.contoso.com port 443
  • WAP Tenant Portal Internal: WAPCloud.contoso.com port: 443
  • WAP Tenant Auth: wapcloud.contoso.com port: 444

Disclaimer: This environment is meant for testing only. This should not be considered guidance for production use, as several decisions made in this blog post are not targeting a production environment.

Reconfigure portal names for Windows Azure Pack

As the two WAP Portals by default (in our proof of concept) are installed with https://wap01.contoso.com:30081 for the Tenant Portal and https://WAP01.contoso.com: 30091 for the Admin Portal we want to change these to use more portal friendly names.

To do this we need to do the following:

  • Create a DNS record for the new portals.
  • Install and configure an enterprise CA.
  • Request certificates for WAP Web Services from the CA.
  • Change ports and assign certificates for WAP Services.
  • Update Windows Azure Pack with the new web service modifications.

 

Create a DNS record for the new portals.

To create new DNS records do the following:

  1. Logon to the DNS server.
  2. Start DNS Manager
  3. Expand dc01 > Forward Lookup Zone > <Yourdomain> (e.g. contoso.com)
  4. Right click on <Yourdomain> and select New Host (A-Record)
  5. Provide the DNS name and the IP address of the WAP Admin Server (e.g. Name: wapadmin, IP: 192.168.1.40)

    Figure 3: Creating a new A-record in DNS manager

  6. Create the other DNS name for the remaining portal (e.g. wapcloud,) and provide the WAP01 IP address as all roles are installed on the same server in the PoC.
  7. Verify that the DNS records shows in the list.

    Figure 2: List of DNS records in DNS Manager.

  8. Close the DNS Manager.

 

Use trusted certificates for the Windows Azure Pack

In order to use CA signed certificates in our PoC environment we need to do the following:

  • Install a CA Server
  • Configure the CA Server
  • Request Web Server certificates from the CA Server
  • Change Web Sites to use certificate.

 

Install a CA Server

To install a CA Server do the following steps:

  1. Logon to the server that will be running the CA Server (e.g. DC01)
  2. Start Server Manager.
  3. Select Dashboard on the left.
  4. Click Add roles and features.
  5. Click next to: before you begin, Installation type and server selection.
  6. In Server Roles select Active Directory Certificate Services under Roles.
  7. Click next to features.
  8. Under Role Services Select the following: Certification Services, Certificate Enrolment Policy.., Certificate Enrolment Web, Certification Authority..
  9. Accept the add-ons and click next to Web Role Services.
  10. Click Install.
  11. Verify that the install finishes with success.

 

Configure CA Server

Do the following to configure the newly installed CA Server:

  1. On the CA Server start Server Manager as a user that is member of Enterprise Admins.
  2. Select AD CS on the left.
  3. A message will show in the main window:

    Figure 3: Configuring CA Server in Server Manager

  4. Click on More.
  5. In the server task details click on Configure Active Directory Cert..
  6. Select All Roles to configure except for Web Service and click Next.
  7. Select Enterprise CA.
  8. Select Root CA.
  9. Select Create a new private key and click next.
  10. Click next to cryptography.
  11. Click next to CA Name and keep default.

    Figur 4: CN Names for the CA Server

  12. Keep 5 years and click next
  13. Click next to Certificate Database
  14. Select Windows Integrated auth.. and click next
  15. Under Server Certificate Select Choose and assign a certificate for SSL later and click next
  16. Click Configure
  17. Click Close

     

Change WEB Sites to use Certificate

 

Issue Certificate for the WAP Admin Portal

Greg from CAT has created a blog post which describes how the certificate can be automated. The blog post can be found here: Automating Active Directory Certificate Services with Windows PowerShell – Part 1.

The manual steps will be described below:

To issue certificates for the WAP Services the following steps needs to be done:

  1. Logon to the WAP Server as an administrator (e.g. wap01.contoso.com)
  2. Open IIS Manager on the WAP Portal Server
  3. Select the IIS server under connections
  4. In the main window select server certificates under IIS
  5. In the right windows select create a domain certificate
  6. Specify the following:
    1. WAPAdmin FQDN under common name (e.g. wapadmin.contoso.com)
    2. Orginazation: Contoso
    3. Organ unit: NA
    4. City NA
    5. State NA
  7. Click Next
  8. Select a CA and provide the friendly name for the certificate (e.g. wapadmin.contoso.com)

    Figure 5: Certificate request from IIS Manager

  9. Click Finish
  10. Verify that the certificate shows in the list of certificate

    Figure 6: Certificate list in IIS Manager

    We now have a web certificate, which we can use for the WAP Admin Portal.

     

  11. Request two more certificate following the same procedure:
    1. WAP Authentication: wap01.contoso.com
    2. WAP Tenant Portal Internal: WAPCloud.contoso.com
  12. There should now be three certificates in the Web Server Certificate list from Contoso CA.

    Figure 7: WAP Certificates in IIS Manager

     

Change ports and certificates for the WAP Admin Portal

The following steps needs to be done in order to change ports and certificates for the admin portal.

  1. Logon to the WAP server as Administrator (This assumes it's an express install).
  2. Start ISS Manager.
  3. Expand IIS Server > Sites.
  4. Right click on MgmtSvc-AdminSite and select edit bindings.
  5. Select https 30091 and select edit.
  6. Change port to 443.
  7. Set hostname to wapadmin.contoso.com.
  8. Select the certificate from the drop down list which was created earlier from the CA.

    Figure 8: IIS Certificate list for Web Site Bindings

  9. Click Ok.
  10. Restart the Web Site.
  11. Right click on MgmtSvc-WindowsAuthSite and select edit bindings.
  12. Select the certificate from the list wap01.contoso.com.
  13. Click Ok.

 

Change ports and certificates for the WAP Tenant Portals

The following steps needs to be done in order to change ports and certificates for the tenant portal.

  1. Logon to the WAP server as Administrator (This assumes it's an express install).
  2. Start ISS Manager.
  3. Expand IIS Server > Sites.
  4. Right click on MgmtSvc-TenantSite and select edit bindings.
  5. Select https 30081 and select edit.
  6. Change port to 443.
  7. Set hostname to wapcloud.contoso.com.
  8. Select wapcloud.contoso.com in the drop down list for certificates
  9. Click Close
  10. Right click on MgmtSvc-AuthSite and select edit bindings
  11. Select https 30071 and select edit.
  12. Change port to 444.
  13. Select wapcloud.contoso.com in the drop down list for certificates.
  14. Restart the MgmtSvc-TenantSite Web Site from the action menu.
  15. Restart the MgmtSvc-AuthSite Web Site from the action menu.

 

Update Windows Azure Pack with the new settings

Updating the Windows Azure Admin Portal

The TechNet documentation can be found here: Reconfigure FQDNs and Ports in Windows Azure Pack

To update WAP with our modifications the following commands needs to be executed, where we will use the values used in the scenario.

  • Set-MgmtSvcFqdn: This command will update the FQDN names for the modified services in the WAP Database.
  • Set-MgmtSvcRelyingPartySettings: This command will set the relay location for the WAP authentication service (Tenant or Admin)
  • Set-MgmtSvcIdentityProviderSettings: This command will update the authentication service where redirects will be redirected once verified.

We will be using the following arguments while executing the commands:

WAP Database Server:  db02.contoso.com

WAP Database user:    sa

Admin Portal FQDN:    wapadmin.contoso.com

Admin Portal Port:    443

Admin Auth Service:   wap01.contoso.com:30072

 

To update the modification made to WAP Services in the WAP database do the following.

  1. Logon to the WAP Server as a WAP Administrator.
  2. Start a PowerShell window.
  3. Import the WAP PowerShell module:

    Import-Module -Name MgmtSvcConfig

     

  4. Update WAP Admin Portal with the updated FQDN settings by running the following command:

    Set-MgmtSvcFqdn -Namespace "AdminSite" -FullyQualifiedDomainName "wapadmin.contoso.com" -Port 443 -Server "db02"

     

     

  5. To set the WAP authentication service FQDN for the admin portal run the following command.

    Set-MgmtSvcRelyingPartySettings –Target Admin –MetadataEndpoint 'https://wap01.contoso.com:30072/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString "Data Source=db02.contoso.com;User ID=sa;Password=*******"

     

  6. To set the authentication service redirection location to the admin portal run the following command:

    Set-MgmtSvcIdentityProviderSettings –Target Windows –MetadataEndpoint 'https://wapadmin.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString "Data Source=db02.contoso.com;User ID=sa;Password=********"

     

     

Updating the Windows Azure Tenant Portal

The following attributes are used for configuring the WAP Tenant Portal.

WAP Database Server:  db02.contoso.com

WAP Database user:    sa

Tenant Portal FQDN:   wapcloud.contoso.com

Admin Portal Port:    443

Admin Auth Service:   wapcloud.contoso.com:444

 

To update the tenant portal do the following:

  1. Logon to the WAP Server as an Administrator.
  2. Start PowerShell.
  3. Import the WAP PowerShell module:

    Import-Module -Name MgmtSvcConfig

     

  4. Update WAP Tenant Portal with the updated settings by running the following command:

    Set-MgmtSvcFqdn -Namespace "TenantSite" -FullyQualifiedDomainName "wapcloud.contoso.com" -Port 443 -Server "db02"

     

  5. Update WAP Tenant Auth Site with the updated settings by running the following command:

    Set-MgmtSvcFqdn -Namespace "AuthSite" -FullyQualifiedDomainName "wapcloud.contoso.com" -Port 444 -Server "db02"

     

  6. To set the WAP authentication service FQDN for the tenant portal run the following command.

    Set-MgmtSvcRelyingPartySettings –Target Tenant –MetadataEndpoint 'https://wapcloud.contoso.com:444/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString "Data Source=db02.contoso.com;User ID=sa;Password=********"

     

  7. To set the authentication service redirection location to the admin portal run the following command.

    Set-MgmtSvcIdentityProviderSettings –Target Membership –MetadataEndpoint 'https://wapcloud.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml' -ConnectionString "Data Source=db02.contoso.com;User ID=sa;Password=********"

     

Verify the WAP modification works.

To verify that the modification works do the following:

Pre-requisite: As we don't have a public certificate for our PoC setup we are going to install the CA certificate on the computers in the Trusted Certificates store from where we will access the WAP Portals.

  1. Login to a computer as a user that has WAP Admin Portal access.
  2. Start a browser.
  3. Type the URL that the WAP Admin Portal was changed to (E.g. https://wapadmin.contoso.com)

    Verify that the WAP Admin Portal loads using the new URL

    Figure 9: Updated URL in the WAP Admin Portal

     

  4. Verify that the tenant portal works by opening a browser and go to https://wapcloud.contoso.com. 
  5. During the authentication sign-in process note the redirection to the wapcloud.contoso.com:444 authentication site.

     

    Figure 10: Updated URL in the WAP Tenant Portal

  6. Verify that after login the login redirects you back to the WAP Portal.

    Figure 11: Updated URL in the WAP Tenant Portal

     

Summary

The goal with this blog post was to show how it's possible to reconfigure portal names, ports and use trusted certificates after deploying the Windows Azure Pack.

In the blog post we did the following

  • Created new DNS records
  • Installed and configured CA Enterprise server
  • Issued certificates for the WAP Web Services
  • Change host names, ports and certificates for the WAP Web Services
  • Updated WAP Database with the new configurations
  • Verified that the configuration was successful.

In the next three blog posts Shri from the WAP Product team will walk you through how to configure ADFS with Windows Azure Pack.

  • Federated Identities to Windows Azure Pack through AD FS – Part 1 of 3 (Coming soon)
  • Federated Identities to Windows Azure Pack through AD FS – Part 2 of 3 (Coming soon)
  • Federated Identities to Windows Azure Pack through AD FS – Part 3 of 3 (Coming soon)

Happy building your PoC environment for Windows Azure Pack.

Anders Ravnholt

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thanks alot for this post. I could not get the metadataendpoint to work om port 443. After digging around in the config for a few hours i still keep getting the HTTP 503 error on the following URL /federationmetadata/2007-06/federationmetadata.xml. I finnaly found the following KB : http://support.microsoft.com/kb/2696987. Doing the following did the trick : netsh http delete urlacl url=https://+:443/FederationMetadata/2007-06/ IISRESET Tuur

  • Really grateful for this best practice existence.. thank you !

    But, i have a question..

    I have followed this best practice, but i stuck in the following copied-text,

    6. Re-establish trust for the Tenant Site

    Set-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint 'auth.skyhost.com/.../FederationMetadata.xml& -Server "your portal DB server" -UserName "your portal DB server admin user" -Password "your portal DB server admin user password"

    I don't have the federationmetadata.xml...

    Could you help me to find out it?

    Is federationmetadata.xml generated when i install active directory federation services? Or maybe can find out it from somewhere?

    Thank you...

    Warm regards,

    Widi Hong

  • Really grateful for this best practice existence.. thank you !

    But, i have a question..

    I have followed this best practice, but i stuck in the following copied-text,

    6. Re-establish trust for the Tenant Site

    Set-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint 'auth.skyhost.com/.../FederationMetadata.xml& -Server "your portal DB server" -UserName "your portal DB server admin user" -Password "your portal DB server admin user password"

    I don't have the federationmetadata.xml...

    Could you help me to find out it?

    Is federationmetadata.xml generated when i install active directory federation services? Or maybe can find out it from somewhere?

    Thank you...

    Warm regards,

    Widi Hong

  • Hi Widi Hong
    This blog post only deals with how you can change your WAP Web services to use other names and ports. This does not configure ADFS integration. The blog posts linked in the start og this blog post tells how this can be archived using ADFS. The XML file you are referencing would be located on the server where you installed the default ,net auth for WAP (Web service. By default this uses port 30074, but if you change this port you would have to update WAP to know where to go for the auth request. Again this is out of the box before you configure ADFS.

    Hope this makes sense.

    Thanks

    Anders

  • Need some help here please.

    I get an error on the Tenant Site while running:

    Set-MgmtSvcRelyingPartySettings –Target Tenant –MetadataEndpoint ‘https://xxxauth.com:443/FederationMetadata/2007-06/FederationMetadata.xml‘ -ConnectionString “Data Source=xxx;User ID=sa;Password=xxx”

    Error is:

    Set-MgmtSvcRelyingPartySettings : CData elements not valid at top level of an XML document. Line 1, position 3.
    At line:1 char:1
    + Set-MgmtSvcRelyingPartySettings –Target Tenant –MetadataEndpoint ‘https://xxx ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [Set-MgmtSvcRelyingPartySettings], XmlException
    + FullyQualifiedErrorId : System.Xml.XmlException,Microsoft.WindowsAzure.Config.PowerShell.Claims.SetRelyingPartyS
    ettings




    as a note, the following run fine:

    Set-MgmtSvcFqdn -Namespace "TenantSite" -FullyQualifiedDomainName "xxx.com" -Port 443 -Server "xxx.priv"

    Set-MgmtSvcFqdn -Namespace "AuthSite" -FullyQualifiedDomainName "xxx.com" -Port 443 -Server "xxx.priv"

    Set-MgmtSvcIdentityProviderSettings –Target Membership –MetadataEndpoint ‘https://xxx.com:443/FederationMetadata/2007-06/FederationMetadata.xml‘ -ConnectionString “Data Source=xxx;User ID=sa;Password=xxx”

    aditional notes:
    created host records to resolve IPs for external records (since i havet publish via Public IP until i get everything working internally)
    Windows Azure Pack v2

    thanks in advance

  • Thanks Anders. Worked for me. This post is a LOT easier to understand than .../dn528551.aspx