~ Mark Stanfill
Windows Azure Pack for Windows Server (WAP) integrates with System Center 2012 Virtual Machine Manager (VMM 2012) by using Service Provider Foundation (SPF) as a middle layer to translate PowerShell cmdlets to RESTAPI\ODdata calls and vice versa. This guide details a checklist of configuration settings that need to be in place to successfully integrate WAP, SPF, and VMM. In the example screenshots below, CONTOSO\SpfSvcAcct is the domain service account, and spflocal is the local user account for SPF.
Open Internet Services Manager (InetMgr) and navigate to <SERVERNAME>\Application Pools. Filter on VMM and verify that the identity is a domain account that has Logon As a Service rights.
To change this setting, right-click on the VMM application pool and choose Advanced Settings... Click on Identity, and choose Custom Account. Enter the name in <DOMAIN>\<SERVERNAME> format and enter the password. Run IISReset to have the changes take effect.
SPF uses the DefaultAppPool application pool by default. Verify that this application pool is a member of the VMM Administrator role and that also that it has access to the SPF SQL server instance (SCSPFDB by default).
Open Internet Services Manager and navigate to <SERVERNAME>\Sites\SPF. Double-click on Authentication and verify that Basic Authentication is Enabled.
On the SPF server, create a local user in Local Users and Groups (lusrmgr.msc) and add it to the SPF_Admin, SPF_Provider, SPF_Usage, and SPF_VMM groups.
Use the local account created above to register SPF with WAP. Navigate to https://localhost:30091/#Workspaces/SystemCenterAdminExtension/quickStart and configure (or re-configure) your SPF account settings to use the local account. Enter only the user name; do not include the computer name.
There is no need to manually configure tenants in SPF. Allow WAP to handle tenant account management.
This allows the user's profile to be created and prevents possible timeout events.
Depending on your domain and local IIS configuration, several factors can inhibit your ability to authenticate locally to the same server (i.e. if you are logged on to a WAP Express install computer or the Admin Portal machine directly and launching Internet Explorer on that same machine). Kernel-mode authentication (see http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx for more details) in particular may prohibit the authentication servers from correctly rendering requests. Rather than modifying WAP IIS settings, simply accessing the web page remotely from a workstation is recommended.
Load Local Users and Groups (lusrmgr.msc) and verify that the account you are using to access the WAP site is a member of the local machine’s MgmtSvc Operators group.
Mark Stanfill | Senior Support Escalation Engineer | Management and Security Division
Get the latest System Center news on Facebook and Twitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/ System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/ System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/ System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Windows Intune: http://blogs.technet.com/b/windowsintune/ WSUS Support Team blog: http://blogs.technet.com/sus/ The AD RMS blog: http://blogs.technet.com/b/rmssupp/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
I don't get it why I must use a local account instead of a domain to connect WAP to SPF? In my test lab I use a domain account without any problems.
I have some other experience that I have written down here:
Similar to Daniel, I have found that it will register with a domain account, but not with a local account. This is with R2.