windows azure pack azure pack guide page 2 of 111 table of contents architecture ..... 6...

Windows Azure Pack Guide of 111

Windows Azure Pack for

Windows Server 2012 R2


Table of Contents Architecture ......................................................................................................................................... 6

Architecture layers .............................................................................................................................. 7

Windows Azure Pack and System Center ........................................................................................ 8

Windows Azure Pack Customization and Extensibility Capabilities ............................................. 8

Partner Solutions ................................................................................................................................ 9

For More Information: ............................................................................................................................ 9

Windows Azure Pack - Installing & Configuring Series. .............................................................. 10

Scenario: ............................................................................................................................................. 10

Pre-requisites. ................................................................................................................................... 12

Installing Windows Azure Pack: .............................................................................................................. 12

Validating the installation succeeded: ............................................................................................... 15

Configuring VMM and SPF ...................................................................................................................... 16

Virtual Machine Manager (VMM) High Level Configuration .......................................................... 16

Service Provider Foundation High Level Configuration .................................................................. 18

Add a local user to SPF_ local groups ............................................................................................ 18

Verify that the SPF Web Service is running under the right user credentials ........................... 19

Configuring the Windows Azure Pack ................................................................................................... 19

Configuring VM Clouds Resource Provider in the Windows Azure Pack ...................................... 19

Configure SQL Servers Resource Provider in Windows Azure Pack .............................................. 21

Configuring a Plan in Windows Azure Pack ...................................................................................... 22

Configure a Admin Account and a subscription in Windows Azure Pack .................................... 24

Login as a Tenant and provision a VM and SQL Database to a Cloud. ............................................. 25

Reconfigure portal names for Windows Azure Pack ........................................................................... 30

Create a DNS record for the new portals. ......................................................................................... 31

Use trusted certificates for the Windows Azure Pack .......................................................................... 31

Install a CA Server ................................................................................................................................. 32

Configure CA Server ............................................................................................................................. 32

Change WEB Sites to use Certificate .................................................................................................. 33

Issue Certificate for the WAP Admin Portal .................................................................................. 33

Change ports and certificates for the WAP Admin Portal ............................................................... 35


Change ports and certificates for the WAP Tenant Portals ............................................................ 35

Update Windows Azure Pack with the new settings ........................................................................... 36

Updating the Windows Azure Admin Portal ..................................................................................... 36

Updating the Windows Azure Tenant Portal .................................................................................... 38

Verify the WAP modification works. ....................................................................................................... 39

Summary .................................................................................................................................................... 40

Scenario ..................................................................................................................................................... 42

Personas ..................................................................................................................................................... 42

Assumptions and Scope .......................................................................................................................... 43

Enabling the AD FS Role .......................................................................................................................... 43

Configuring the AD FS server .................................................................................................................. 45

Scenario ..................................................................................................................................................... 52

Personas ..................................................................................................................................................... 52

Scope .......................................................................................................................................................... 53

Federating AD FS with WAP .................................................................................................................... 53

AD FS Configuration ............................................................................................................................. 54

WAP Configuration ............................................................................................................................... 68

Scenario ..................................................................................................................................................... 71

Personas ..................................................................................................................................................... 72

Assumptions and Scope .......................................................................................................................... 72

Overview of Scenario ............................................................................................................................... 72

Establish trust between Contoso's AD FS and WAP Tenant Portal .................................................... 74

Adding a WAP Tenant Portal as a Relying Party to Contoso's AD FS ........................................... 74

Adding Contoso's AD FS as a Claims Provider to the Tenant Portal ............................................. 78

Add Fabrikam's AD FS as Claims Provider to Contoso's AD FS ...................................................... 78

Adding Contoso AD FS as a Relying Party to Fabrikam's AD FS .................................................... 90

Windows Azure Pack blog posts on Building Clouds & TechNet .................................................... 104

Windows Azure Pack Introduction, Overview and Concepts ............................................................ 104

Windows Azure Pack & Installing and Configuring ........................................................................... 105

Windows Azure Pack & Service Provider Foundation (SPF) ............................................................. 105

Windows Azure Pack & Service Management Automation (SMA) .................................................. 106


Windows Azure Pack & Gallery Items and VM Roles ........................................................................ 107

Windows Azure Pack & Web Sites ....................................................................................................... 108

Windows Azure Pack & Plan and Subscriptions ................................................................................. 108

Windows Azure Pack & Usage and Billing .......................................................................................... 108

Windows Azure Pack & Identity and ADFS ......................................................................................... 109

Windows Azure Pack & Networking .................................................................................................... 109

Windows Azure Pack & Troubleshooting ........................................................................................... 110

Windows Azure Pack & Extending and Customization ..................................................................... 111

Windows Azure Wiki .............................................................................................................................. 111


Throughout this Success with Hybrid Cloud series, I’ve emphasized the importance of linking private and public

clouds – and Windows Azure Pack (WAP) is that link. WAP provides a consistent experience between Windows

Azure and private clouds, and this allows service providers (hosters) and enterprises to offer their “customers”

Windows Azure like capabilities, hosted within their own data center.

WAP leverages the same console and API technology used in Azure, and this brings a consistent platform of

portal + API between private, public, and hosted clouds.

WAP offers a series of services to its consumers by providing an Azure-like experience that includes a consistent

interface, as well as a common API, that enables a consistent way to consume these services. These services

include, but are not limited to, IaaS, Web PaaS and Database as a Service (DBaaS).

The architecture of this consistent experience looks like this:

Source : Anders Ravnholt

http://blogs.technet.com/b/privatecloud/

Author : James van den Berg

http://mountainss.wordpress.com

Twitter : @jamesvandenberg

System Center Cloud and Datacenter Management

http://blogs.technet.com/b/in_the_cloud/archive/2013/11/12/table-of-contents-success-with-hybrid-cloud.aspx

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-98-54-metablogapi/clip_5F00_image002_5F00_247F22AC.png


http://mountainss.wordpress.com/

http://mountainss.wordpress.com/


Architecture

WAP architecture is an amalgamation of different web services which, when combined, offer an array of service

layers.

There are two portals that makes up the WAP solution.

Admin Portal

This portal lets you configure the different services offered via WAP, as well as defining plans (what

services can be consumed and how much), and mapping these to subscriptions (who can consume

services) so tenants can start using those services via the customer portal. The admin portal also offers

the possibility to manage automation and metering for services consumed by customers. The admin

portal resides inside the datacenter as an interface for WAP administrators.

Customer (tenant) Portal

This portal allows tenants to consume services from WAP. These services include IaaS, Web PaaS, and

DBaaS – and it enables 3rd party extensions to be used by customers. Using the WAP Tenant Portal,

customers can manage these services in a way that’s very similar to how services are managed in

Azure. The WAP portal experience is almost identical and offers very similar capabilities for the service

listed above as in Azure.

To understand how these two portals look side-by-side, consider this illustration:

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-98-54-metablogapi/clip_5F00_image004_5F00_7FED9527.png


Architecture layers

WAP is made of a series of sites and endpoints responsible for different functions. Each component (sites &

endpoints) use web services (REST DATA). The WAP service can be illustrated in the following way:

The two WAP deployment options are:

1. Express Deployment

All WAP Portal and API services deployed on a single server

Distributed Deployment

Components are separated for security

Increased numbers of servers to address performance

Scale out all nodes for high availability

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-98-54-metablogapi/clip_5F00_image006_5F00_022A1DE4.png


Windows Azure Pack and System Center

Windows Azure Pack uses System Center 2012 R2 for IaaS. Windows Azure Pack uses Service Provider

Foundation (a new component in System Center) to manage IaaS. Service Provider Foundation (SPF) provides a

multitenant interface to components of System Center. System Center uses SPF as an interface to communicate

with Virtual Machine Manager and Operations Manager to deploy, manage, and delete VMs using VMM.

System Center also uses SPF to extract usage from SCOM for metering and usage in WAP.

By using SPF, WAP can use multiple “stamps” and scale the environment when needed for IaaS service.

Windows Azure Pack Customization and Extensibility Capabilities

One of the strengths of WAP is its rich extensibility model. The different extensibility and customization

capabilities include:

Custom Management Portals

Custom Theming

Usage Service

Custom Resource Providers

PowerShell

Custom Management Portals

While WAP provides a consistent UX with Windows Azure, you may want to use your own portal to offer cloud

services to your tenants. WAP supports this setup and it allows organizations to build or use their own custom

portals while leveraging the WAP Service Management API as it allows organizations to programmatically

perform tasks that are accessible through the default WAP portals.

For more details on how to integrate custom portals with WAP check out this article, and also check this

sample portal from the Building Clouds Blog that leverages the Service Management API.

Custom Theming

WAP allows you to customize the theming of the tenant site with your organization’s logo, colors, and icons.

You can refer to this site for more details on WAP custom theming.

Usage Service

A very important aspect of the cloud services provided through WAP is that the consumption usage of those

services and resources is captured – thus, service providers can extract that data for analytic purposes and for

billing their tenants for the resources they consume.

While WAP does not provide an out-of-the-box implementation of a billing system, it does provide a Usage

Service REST API. Service Providers can then develop a Billing Adapter that acts as the interface between the

WAP Usage Service and the service providers own billing service.

You can read more about the WAP Usage Service here, and you can check some sample Billing Adapters here

and here.

http://technet.microsoft.com/en-us/library/jj642895.aspx


http://www.microsoft.com/en-us/download/details.aspx?id=41146

http://msdn.microsoft.com/en-us/library/dn448745.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/11/28/sample-portal-code-based-on-windows-azure-pack-service-provider-foundation-and-virtual-machine-manager.aspx









Custom Resource Providers

WAP offers clouds services using Resource Providers. Out of the box, WAP includes the Web Sites, VM Clouds,

SQL Server, My SQL and Service Bus Resource Providers. When these resource providers don’t provide the

cloud services you would want to offer, WAP allows you to create Custom Resource Providers that can offer

additional cloud services to your tenants by leveraging the Service Management API.

For more guidance on custom Resource Providers refer to the Windows Azure Pack Custom Resource Providers

section in the Windows Azure Pack Developers Kit. For a jumpstart on using Custom Resource Providers go

ahead and download, deploy and evaluate the “Hello World” sample that is included in the WAP Developers

Kit.

PowerShell

Windows PowerShell support for WAP is provided in two different ways:

Administrative tasks (such as feature configuration, plans, and resource management) are provided via

the PowerShell cmdlets that are included when you install WAP.

The PowerShell cmdlets for the management of tenant resources (available under a specific

subscription) are included as part of the Windows Azure SDK and can be obtained from this link.

Partner Solutions

Windows Azure Pack has a list of partner solutions which enrich the experience for given scenarios. In particular,

check out:

Cloud Cruiser

Enables billing (Finance Management) for WAP Services which enable the service provider to bill for

the services consumed by tenants. More info here.

For More Information:

Windows Azure Pack Overview from the Building Clouds Blog.

Windows Azure Pack: Installing & Configuring Series.

Intro to Troubleshooting Installation & Configuration of Windows Azure Pack.

IaaS Usage and Service Reporting using System Center 2012 R2 and WAP.

Service Management Automation: Getting Started with SMA Runbooks.






http://blogs.technet.com/b/privatecloud/archive/2014/02/11/custom-resource-providers-in-windows-azure-pack-deploying-the-hello-world-sample.aspx

http://blogs.technet.com/b/privatecloud/archive/2014/03/05/custom-resource-providers-in-windows-azure-pack-extending-the-hello-world-sample-calling-a-sma-runbook.aspx



http://www.windowsazure.com/en-us/downloads/

http://technet.microsoft.com/en-us/library/dn282110.aspx

http://www.cloudcruiser.com/partners/microsoft/

http://blogs.technet.com/b/in_the_cloud/archive/2013/10/22/what-you-have-to-gain-from-cloud-based-financial-management-it.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/12/20/building-clouds-windows-azure-pack-blog-post-overview.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/12/06/windows-azure-pack-installing-amp-configuring-series.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/11/05/troubleshooting-configuration-of-windows-azure-pack.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/08/27/iaas-usage-and-service-reporting-using-system-center-2012-r2-and-windows-azure-pack.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/08/14/automation-service-management-automation-getting-started-with-sma-runbooks.aspx


Windows Azure Pack - Installing & Configuring Series.

Anders Ravnholt [MSFT]

Anders Ravnholt [MSFT]

Microsoft

MSFT

2,255 Points 5 2 1

Recent Achievements

Blog Party Starter Blog Conversation Starter First Forums Reply

View Profile

6 Dec 2013 5:00 AM

Comments 36

Likes

After numerous requests from people we have talked to, we are now doing a blog post on how to install

Windows Azure Pack and configuring the basic settings for IaaS and Databases Resource Providers.

In the following series of blog posts Shri from the Windows Azure Pack Product team and I will explain how you

can:

Windows Azure Pack - Installing & Configuring Series. (This blog post)

Windows Azure Pack - Reconfigure portal names, ports and use trusted certificates

Federated Identities to Windows Azure Pack through AD FS – Part 1 of 3



Scenario:

Contoso Inc is a Service Provider offering IaaS Service like Virtual Machines and SQL Databases to its customers

(tenants).

Contoso has a domain called Contoso.com and wants to deploy a Windows Azure Pack infrastructure which

enables them to offer VM and Database services.

http://social.technet.microsoft.com/profile/Anders%20Ravnholt%20%5bMSFT%5d

http://social.technet.microsoft.com/profile/anders%20ravnholt%20%5Bmsft%5D/?ws=usercard-hover

http://blogs.technet.com/b/privatecloud/archive/2013/12/06/windows-azure-pack-installing-amp-configuring-series.aspx#comments


http://blogs.technet.com/b/privatecloud/archive/2013/12/10/windows-azure-pack-reconfigure-portal-names-ports-and-use-trusted-certificates.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/12/17/federated-identities-to-windows-azure-pack-through-ad-fs-part-1-of-3.aspx




They want to setup a Proof of Concept to test the solution, the solution has a simplified setup from what it

would look like it production, as it will be used to test general concepts.

The Proof of Concept environment will look like the following:

The Servers will be configured as follows:

Role Name Function

Active Directory DC01.contoso.com Active Directory, ADFS, Certificate Server

Windows Azure Pack WAP01.contoso.com Windows Azure Pack Express Install

Service Provider Foundation SPF01.contoso.com Service Provider Foundation

SQL Server DB01.contoso.com SQL Instance

Virtual Machine Manager VMM01.contoso.com Virtual Machine Manager 2012 R2

managing one Hyper-v host

This blog post will take you from Installing Windows Azure Pack all the way to deploying your first VM and

Database in your Cloud.

This is not in any way replacing the TechNet documentation, but due to many requests of having a scenario

based example we have taken the feedback and created this blog post.

The following links are the official documentation for Installing and configuring Windows Azure Pack.


Deploy Windows Azure Pack for Windows Server

Windows Azure Pack installation checklist

Administer Plans and Add-ons

In this blog post we will explain how to perform the following tasks;

Installing Windows Azure Pack

Configuring VMM and SPF

Configuring Windows Azure Pack

Login as a Tenant and provision a VM and SQL Database

Pre-requisites.

Virtual Machine Manager is installed and configured and:

o Member of the Contoso.com domain.

o One or more VMM Clouds created in VMM.

o One or more VM Networks created in VMM.

Service Provider Foundation is installed using default install on the server specified above.

o Running Windows Server 2012 R2

o Database running on DB01

o SPF IIS Web service running under a domain account

o Member of the Contoso.com domain

SQL Server is installed running SQL 2012

o With SQL Authentication enabled (Using SA)

o Member of the Contoso.com domain

Disclaimer: This environment is meant for testing only. This should not be considered guidance for

production use, as several decisions made in this blog post are not targeting a production environment.

Let's get started:

Installing Windows Azure Pack: 1. Deploy a Windows Server 2012 R2 GUI server and join it to the domain.

2. Install the following prerequisites:

3. Disable Internet Explorer Enhanced Security.

1. Install Microsoft Web Platform Installer 4.6 (can be downloaded from here if the WAP server

has no Internet follow this blog post)

2. In Windows Server 2012 R2, install the following software through Web Platform Installer, in

this order:

1. Enable Microsoft .NET Framework 3.5 SP 1 in Server Manager.

2. .NET 4.5 Extended, with ASP.NET for Windows 8.

3. IIS recommended configuration.

4. Launch WEB PI Installer.

5. Select Products from the top menu.

6. Type: Windows Azure Pack in the search field in the left side.

7. Click Add Windows Azure Pack: Portal and API Express.




https://go.microsoft.com/?linkid=9737537

http://blogs.technet.com/b/privatecloud/archive/2013/11/06/troubleshooting-installation-and-configuration-of-windows-azure-pack.aspx


Figure 1: WAP Express installer in Web PI

8. Click Install at the bottom of the WEB PI windows.

9. Read the terms of use, Click I Accept.

10. When the Wizard completes the installation, it will present a screen as the one described in the picture

below asking to Continue. When clicking in the Continue button, an Internet Explorer Window will be

launched.

Figure 2: WAP Install screen in Web PI



11. In the recently opened Internet Explorer page, copy the URL, and launch a new browser with

administrative privileges. When the new browser is opened, paste the URL you obtained before

(https://localhost:30101/).

12. In the browser, if you are presented with warnings related to the certificate, click in continue. Then the

Windows Azure Pack Setup will be displayed.


13. In the Database Server page, provide the following information:

1. Server Name: an instance that accepts SQL Authentication (for example db01.contoso.com).

2. Authentication type: SQL authentication (Windows Authentication can also be used).

3. Database server admin username: sa

4. Password: ********

5. Passphrase: ********

14. Click on the arrow for next.

Figure 5: Database Server setup in WAP install


15. In the Customer Experience Improvement program select one option and click on Next.

16. In the Features Setup page click on the to finish the wizard.

17. Once the setup has completed, click in the arrow button.

18. Sign out and Sign in from WAP01 (this needs to be done for the user to be registered correctly in

WAP).

19. Open a browser and go to: https://wap01:30091.

Validating the installation succeeded: In order to verify that the installation succeeded do the following:

1. Log on to the WAP Server as Administrator.

2. Start IIS Management Console.

3. Check that the following IIS WEB Sites are created:

4. Logon on the SQL Server (SQL01) as SQL Administrator.

5. Open SQL Management Studio on the SQL Server as SA.

6. Check that the following Databases were successfully created:


Figure 6: Websites created after WAP Install

Figure 7: Databases created after WAP Install

Configuring VMM and SPF In this section we want to configure the following:

Virtual Machine Manager (VMM) High Level Configuration

Service Provider Foundation High Level Configuration

Virtual Machine Manager (VMM) High Level

Configuration

Things to configure in SCVMM are the following in high level steps.

1. Logon to VMM Server as Administrator.

2. Start the VMM Console.

3. In the SCVMM console go to Fabric - Add Resources - Windows Server Computers in an AD Domain or

Untrusted AD domain and add the Hyper-V host to VMM.


4. Once hosts have been added, copy one or more syspreped vhds to the VMM Library (e.g.

\\vmm01\MSSCVMMLibrary\VHDs).

5. Now create one or more clouds in SCVMM (in this case we created two: Contoso and Fabrikam) and

assign one or more logical networks to the cloud. Make sure you leave Capability Profiles unchecked.

6. Under VM Networks, create a VM Network, a subnet and an IP Pool. Connect the VM Network to a

logical network that was assigned to the cloud created earlier. (e.g. Contoso Tenant)

7. Then create one or more hardware profiles (for example, small, medium and large).

8. Create templates from the syspreped VHDs copied to the library (for example, Windows Server 2012

R2 Core and Windows Server 2012 R2 GUI).


NOTE: - when creating the VM templates, in Hardware Profiles it's not necessary to select one, for our

example we created medium, then click next, and make sure that you select Create a new Windows

Operating System Customization Settings, and select the operating system (for example, Windows

Server 2012 R2 Datacenter). If this is not selected, the VM will not show up in the Windows Azure Pack

Portal.

9. Select Settings.

10. Add the user under which the SPF Web Service (Application Pool) account is running to the

Administrators group.

1. Click Security > User Roles.

2. Click Administrators > Members.

3. Click Add and select the user that SPF Web Service (Application Pool) is running with. (e.g

contoso\!spf).

Service Provider Foundation High Level

Configuration

Add a local user to SPF_ local groups

Things to configure in Service Provider Foundation are the following in high level steps.

1. Logon to the SPF Server as Administrator.

2. Start Computer Management.

3. Select Local User and Groups.

4. Create a user you want to use for SPF by right click Users > new user (e.g. spf)

Note: This is not the same as the SPF Web Service (Application Pool). This is a local user on the SPF

Server.

5. Click on the user and select the "Member Of" tab.

6. Make the user member of all Groups starting with SPF_,.


Verify that the SPF Web Service is running under the right user

credentials

The way SPF executes commands against VMM will be in the context of the user under which the web service is

running.

To verify that the SPF Web Service is running under the right service account do the following:

1. Login to the SPF server as an administrator

2. Start IIS Manager

3. Expand SPF Server > Sites and verify that SPF shows in the list.

4. Select Applications Pools under connection menu

5. Verify that both the VMM and Provider Application Pools are running under the account (Identity) that

is also a member of the VMM Administrators (e.g. contoso\!spf)

Configuring the Windows Azure Pack In this section we want to configure the following:

Configuring VM Clouds Resource Provider in the Windows Azure Pack

Configure SQL Servers Resource Provider in the Windows Azure Pack

Configuring a plan in Windows Azure Pack

Configure an Admin Account and a subscription in the Windows Azure Pack

To do this we need to do the following:


Configuring VM Clouds Resource Provider in the

Windows Azure Pack

1. Logon to WAP Admin Portal as an administrator (e.g. https://wap01.contoso.com:30091)

2. Finish the Intro tour and click Ok.

3. In the main window Select VM Clouds

4. In the VM Clouds Window select Register System Center Service Provider Foundation.

5. Type the Service URL, Username and Password.

Note: the User name and password is the user created locally on the SPF server and which was added

to the SPF groups (e.g. SPF01\spf).

6. Verify that the registration goes well.

7. Register VMM: Go to VM Clouds - Clouds - Use an existing Virtual Machine Cloud Provider to Provision

Virtual Machines, and provide the following info:

1. Virtual machine manager server: vmm01

2. Port number (optional):

3. Remote Desktop Gateway:

4. Click on register.

8. Verify that VMM Server registers correctly by selecting the server under clouds and verify that all

clouds shows for the VMM Server.

https://wap01.contoso.com:30091/


Configure SQL Servers Resource Provider in

Windows Azure Pack Now we'll configure SQL Server for hosting. To do this do the following:

1. In the WAP Admin Portal go to SQL Servers

2. Click on Add an existing server to the hosting server group.

3. In the wizard provide the following information:

1. SQL Server Group: Default

2. SQL Server name: db01

3. Username: sa

4. Password: ********

5. Size of hosting server in GB: 20

Note: The SQL Server used for the SQL server must have SQL Authentication enabled for the Service

Provider service to work.

4. Verify that the following message shows in the status area.


5. Under Servers there should now be a new SQL Server showing.

Configuring a Plan in Windows Azure Pack

1. In the WAP Admin Portal go to Plans.

2. Click on + New -> PLAN -> CREATE PLAN.

3. Specify a name for the plan (e.g. Contoso).

4. Select the service that should be offered via the plan (e.g. Virtual Machine Clouds and SQL Servers) and

click next.

5. Skip add-ons and Click Ok.

Note: In our scenario we created two plans: Contoso and Fabrikam.

6. Under plan verify that the new Plan(s) shows in the list.


7. Click on the first plan created.

8. Under plan service click on Virtual Machine Clouds.

9. Select the VMM Server (There should only be one in the list).

10. Under Virtual Machine Cloud select the Cloud for which you would like to use with the plan (e.g.

Contoso).

11. Under Usage limit specify the usage limits that the plan should use.

12. Under networks click Add network.

13. Select the VM networks that should be used for the plan and click Ok.

14. Click Add hardware profiles.

15. Select the hardware profiles that should be used for the plan and click Ok.

16. Click Add Templates and select the templates that should be used for the plan.


17. Under Additional settings select the actions that should be allowed within the plan

18. Click Save

19. Verify that the plan service shows as configured and Active for both services

Configure a Admin Account and a subscription in

Windows Azure Pack

1. In the WAP Admin main menu click User Accounts

2. Click + New -> User Account > Quick Create >

3. Provide the following information:

1. E-mail: eg. [email protected]

2. Password: *******

3. Select a plan (e.g. Contoso)

4. Click Create.

5. Click on the newly created user and verify that a subscription shows.


Login as a Tenant and provision a VM and

SQL Database to a Cloud. 1. Open a browser and go to the WAP Tenant Portal (e.g. https://wap01.contoso.com:30081)

2. Specify the user account created earlier and password (e.g. [email protected])

3. Click on Submit.

4. Finish the introduction wizard.

5. Click on Virtual Machines.

6. Click Create a virtual Machine Role.

7. Select Standalone Virtual Machine.

8. Select From Gallery -> Templates.

9. Select a template in the list and click Next.

10. Provide the following information of the VM.

1. Name: e.g. Contoso01

2. Password:

3. Product Key

Note: Depending on what kind of sysperped image is used, it's necessary to provide a product

key. Only if the image is build using a Volume License image it might not be needed to provide a

product key.

11. Select a network for the Virtual Machine e.g. Contoso Tenant (this is the network that was selected

when creating the plan).

12. Click Next

https://wap01.contoso.com:30081/

mailto:[email protected]


13. Go to Virtual Machine Manager.

14. Start the VMM Console.

15. Select Job and Select Running

16. Verify that one job shows provisioning the virtual machine.

17. Go back to the WAP Tenant Portal.

18. Select SQL Server Databases.

19. Click Add a New Database.

20. Specify a Name for the Database (e.g. DB01).

21. Click Next.

22. Provide a User Name and a Password (e.g. dba01).

23. Click Ok to create the Database.

24. Verify that the job completes with success.

25. Click on All Items.

26. Verify that a VM and a Database shows in the list.


Hope this blog post will help you with Installing and configuring Windows Azure Pack by providing an example

end to end.

In the next blog post we will look at how you can create certificates for Windows Azure Pack

Until Next time, happy installing and configuring Windows Azure Pack!

Windows Azure Pack - Reconfigure

portal names, ports and use trusted

certificates Following up from the Installing and configuring Windows Azure Pack (WAP) series we are now at the point

where we want to reconfigure server names and ports as well as assigning trusted certificates to my WAP

Portals.

Blog post in the series are:

Installing & Configuring Windows Azure Pack

Configuring Ports and Certificates for Windows Azure Pack (This blog post)




In this blog post we will look at how you can change portal names and ports for the Tenant and Admin portals

in WAP.

Once that is done we are going to issue certificates from an Enterprise CA to the Admin portal as well as issuing

a certificate to the Tenant Portal. As I don't have a Public CA Certificate I'm going to use one from my Enterprise

CA, but the concept for a Public CA is exactly the same as if I was using certificates from a trusted CA like

VeriSign or similar.

http://blogs.technet.com/b/privatecloud/archive/2013/11/28/installing-amp-configuring-windows-azure-pack-series.aspx






Figure 1: Windows Azure Pack Tenant Portal

Architecture:

Windows Azure Pack has different components which serve various functions.

By looking at the roles being installed on a WAP Server for an express install, we can see a long list of Web

Services running on the WAP Server.

These different Web Services provide various roles within the WAP Infrastructure

In this blog post scenario, we will be working with the following Web Services:

WAP Tenant Portal Service (MgmtSvc-TenantSite): Hosts the WAP Tenant Portal

WAP Tenant Authentication Service (MgmtSvc-AuthSite): Hosts the authentication for tenants

WAP Admin Portal Service (MgmtSvc-WindowsAdminSite): Hosts the Admin Portal

WAP Admin Authentication Service (MgmtSvc-WindowsAuthSite): Hosts the Admin Authentication


Figure 1: List of Web Sites

(roles) running on a WAP Server (Express install)

Figur 2: WAP Infrastructure example

When a tenant accesses the WAP Tenant portal (exposed to the Internet) they will be redirected to the WAP

Tenant Authentication Service to validate if the user is allowed to access the system, once the WAP Tenant

Authentication service has validated the user, it will be redirected back to the WAP Tenant portal with access to

WAP services. The tenant authentication service uses claim based authentication and can use different

authentication methods like ADFS or .Net. In this scenario we are using default authentication (.Net), in the

following three blog posts Shri from the WAP Product team will explain how you can change the WAP tenant

authentication service to make use of ADFS.

In the PoC setup these services are running on the same server (WAP01.contoso.com) as shown on "figure 1".

A similar scenario happens when a WAP Administrator accesses the WAP Admin portal (only accessible on the

internal network), the WAP admin portal will redirect the admin to the WAP Admin Authentication service which

by default uses Windows Authentication. Once Windows Authentication service has authenticated the user, the

user is redirected back to the WAP Admin portal with access to WAP.

Scenario:

After Installing and configuring Windows Azure Pack with the basic settings for the Contoso.com proof of

concept (PoC), the next steps are to configure the following:

Change WAP portal name.

Configure tenant and admin portals to run on port 443 (Https).

Replace the self-signed certificates with certificates provided by the enterprise CA (and consequently

remove the warnings displayed in Internet Explorer due to the self-signed certificates).

Change the WAP Tenant Portal to use an internet facing url.

Change the WAP Tenant Authentication site to use the public web address that is also used by the

WAP Tenant Portal.



The Servers are configured as follows:

Role Name Function

Active Directory DC01.contoso.com Active Directory, ADFS, Certificate Server

Windows Azure Pack WAP01.contoso.com Windows Azure Pack Express Install

Service Provider

Foundation SPF01.contoso.com Service Provider Foundation

SQL Server DB02.contoso.com SQL Instance hosting the WAP databases

Virtual Machine Manager VMM01.contoso.com Virtual Machine Manager 2012 R2 managing one Hyper-

v host

The portals DNS names will be renamed to the following:

WAP Admin Portal: wapadmin.contoso.com port 443

WAP Tenant Portal Internal: WAPCloud.contoso.com port: 443

WAP Tenant Auth: wapcloud.contoso.com port: 444

Disclaimer: This environment is meant for testing only. This should not be considered guidance for

production use, as several decisions made in this blog post are not targeting a production environment.

Reconfigure portal names for Windows

Azure Pack As the two WAP Portals by default (in our proof of concept) are installed with https://wap01.contoso.com:30081

for the Tenant Portal and https://WAP01.contoso.com: 30091 for the Admin Portal we want to change these to

use more portal friendly names.

To do this we need to do the following:

Create a DNS record for the new portals.

Install and configure an enterprise CA.

Request certificates for WAP Web Services from the CA.

Change ports and assign certificates for WAP Services.

Update Windows Azure Pack with the new web service modifications.


Create a DNS record for the new portals. To create new DNS records do the following:

1. Logon to the DNS server.

2. Start DNS Manager

3. Expand dc01 > Forward Lookup Zone > <Yourdomain> (e.g. contoso.com)

4. Right click on <Yourdomain> and select New Host (A-Record)

5. Provide the DNS name and the IP address of the WAP Admin Server (e.g. Name: wapadmin, IP:

192.168.1.40)

Figure 3: Creating a new A-record in DNS manager

6. Create the other DNS name for the remaining portal (e.g. wapcloud,) and provide the WAP01 IP

address as all roles are installed on the same server in the PoC.

7. Verify that the DNS records shows in the list.

Figure 2: List of DNS records in DNS Manager.

8. Close the DNS Manager.


Use trusted certificates for the Windows

Azure Pack In order to use CA signed certificates in our PoC environment we need to do the

following:

Install a CA Server

Configure the CA Server

Request Web Server certificates from the CA Server

Change Web Sites to use certificate.

Install a CA Server To install a CA Server do the following steps:

1. Logon to the server that will be running the CA Server (e.g. DC01)

2. Start Server Manager.

3. Select Dashboard on the left.

4. Click Add roles and features.

5. Click next to: before you begin, Installation type and server selection.

6. In Server Roles select Active Directory Certificate Services under Roles.

7. Click next to features.

8. Under Role Services Select the following: Certification Services, Certificate Enrolment Policy..,

Certificate Enrolment Web, Certification Authority..

9. Accept the add-ons and click next to Web Role Services.

10. Click Install.

11. Verify that the install finishes with success.

Configure CA Server Do the following to configure the newly installed CA Server:

1. On the CA Server start Server Manager as a user that is member of Enterprise Admins.

2. Select AD CS on the left.

3. A message will show in the main window:


Figure 3: Configuring CA Server in Server Manager

4. Click on More.

5. In the server task details click on Configure Active Directory Cert..

6. Select All Roles to configure except for Web Service and click Next.

7. Select Enterprise CA.

8. Select Root CA.

9. Select Create a new private key and click next.

10. Click next to cryptography.

11. Click next to CA Name and keep default.

Figur 4: CN Names for the CA Server

12. Keep 5 years and click next

13. Click next to Certificate Database

14. Select Windows Integrated auth.. and click next

15. Under Server Certificate Select Choose and assign a certificate for SSL later and click next

16. Click Configure

17. Click Close

Change WEB Sites to use Certificate

Issue Certificate for the WAP Admin Portal

Greg from CAT has created a blog post which describes how the certificate can be automated. The blog post

can be found here: Automating Active Directory Certificate Services with Windows PowerShell – Part 1.

The manual steps will be described below:

http://blogs.technet.com/b/privatecloud/archive/2013/12/06/automating-active-directory-certificate-services-with-windows-powershell-part-1.aspx


To issue certificates for the WAP Services the following steps needs to be done:

1. Logon to the WAP Server as an administrator (e.g. wap01.contoso.com)

2. Open IIS Manager on the WAP Portal Server

3. Select the IIS server under connections

4. In the main window select server certificates under IIS

5. In the right windows select create a domain certificate

6. Specify the following:

1. WAPAdmin FQDN under common name (e.g. wapadmin.contoso.com)

2. Orginazation: Contoso

3. Organ unit: NA

4. City NA

5. State NA

7. Click Next

8. Select a CA and provide the friendly name for the certificate (e.g. wapadmin.contoso.com)

Figure 5: Certificate request from IIS Manager

9. Click Finish

10. Verify that the certificate shows in the list of certificate

Figure 6: Certificate list in IIS Manager

We now have a web certificate, which we can use for the WAP Admin Portal.

11. Request two more certificate following the same procedure:

1. WAP Authentication: wap01.contoso.com

2. WAP Tenant Portal Internal: WAPCloud.contoso.com

12. There should now be three certificates in the Web Server Certificate list from Contoso CA.

Figure 7: WAP Certificates in IIS Manager


Change ports and certificates for the WAP Admin

Portal The following steps needs to be done in order to change ports and certificates for the

admin portal.

1. Logon to the WAP server as Administrator (This assumes it's an express install).

2. Start ISS Manager.

3. Expand IIS Server > Sites.

4. Right click on MgmtSvc-AdminSite and select edit bindings.

5. Select https 30091 and select edit.

6. Change port to 443.

7. Set hostname to wapadmin.contoso.com.

8. Select the certificate from the drop down list which was created earlier from the CA.

Figure 8: IIS Certificate list for Web Site Bindings

9. Click Ok.

10. Restart the Web Site.

11. Right click on MgmtSvc-WindowsAuthSite and select edit bindings.

12. Select the certificate from the list wap01.contoso.com.

13. Click Ok.

Change ports and certificates for the WAP Tenant

Portals The following steps needs to be done in order to change ports and certificates for the

tenant portal.

1. Logon to the WAP server as Administrator (This assumes it's an express install).

2. Start ISS Manager.

3. Expand IIS Server > Sites.

4. Right click on MgmtSvc-TenantSite and select edit bindings.




7. Set hostname to wapcloud.contoso.com.

8. Select wapcloud.contoso.com in the drop down list for certificates

9. Click Close

10. Right click on MgmtSvc-AuthSite and select edit bindings



13. Select wapcloud.contoso.com in the drop down list for certificates.

14. Restart the MgmtSvc-TenantSite Web Site from the action menu.

15. Restart the MgmtSvc-AuthSite Web Site from the action menu.

Update Windows Azure Pack with the new

settings

Updating the Windows Azure Admin Portal The TechNet documentation can be found here: Reconfigure FQDNs and Ports in Windows Azure Pack

To update WAP with our modifications the following commands needs to be executed, where we will use the

values used in the scenario.

Set-MgmtSvcFqdn: This command will update the FQDN names for the modified services in the WAP

Database.

Set-MgmtSvcRelyingPartySettings: This command will set the relay location for the WAP

authentication service (Tenant or Admin)

Set-MgmtSvcIdentityProviderSettings: This command will update the authentication service

where redirects will be redirected once verified.

We will be using the following arguments while executing the commands:

WAP Database Server: db02.contoso.com

WAP Database user: sa

Admin Portal FQDN: wapadmin.contoso.com

Admin Portal Port: 443

Admin Auth Service: wap01.contoso.com:30072



To update the modification made to WAP Services in the WAP database do the

following.

1. Logon to the WAP Server as a WAP Administrator.

2. Start a PowerShell window.

3. Import the WAP PowerShell module:

Import-Module -Name MgmtSvcConfig

4. Update WAP Admin Portal with the updated FQDN settings by running the following command:

Set-MgmtSvcFqdn -Namespace "AdminSite" -FullyQualifiedDomainName

"wapadmin.contoso.com" -Port 443 -Server "db02"

5. To set the WAP authentication service FQDN for the admin portal run the following command.

Set-MgmtSvcRelyingPartySettings –Target Admin –MetadataEndpoint

'https://wap01.contoso.com:30072/FederationMetadata/2007-

06/FederationMetadata.xml' -ConnectionString "Data

Source=db02.contoso.com;User ID=sa;Password=*******"

6. To set the authentication service redirection location to the admin portal run the following command:

Set-MgmtSvcIdentityProviderSettings –Target Windows –MetadataEndpoint

'https://wapadmin.contoso.com/FederationMetadata/2007-


Source=db02.contoso.com;User ID=sa;Password=********"


Updating the Windows Azure Tenant Portal The following attributes are used for configuring the WAP Tenant Portal.

WAP Database Server: db02.contoso.com

WAP Database user: sa

Tenant Portal FQDN: wapcloud.contoso.com

Admin Portal Port: 443

Admin Auth Service: wapcloud.contoso.com:444

To update the tenant portal do the following:

1. Logon to the WAP Server as an Administrator.

2. Start PowerShell.

3. Import the WAP PowerShell module:

Import-Module -Name MgmtSvcConfig

4. Update WAP Tenant Portal with the updated settings by running the following command:

Set-MgmtSvcFqdn -Namespace "TenantSite" -FullyQualifiedDomainName

"wapcloud.contoso.com" -Port 443 -Server "db02"

5. Update WAP Tenant Auth Site with the updated settings by running the following command:

Set-MgmtSvcFqdn -Namespace "AuthSite" -FullyQualifiedDomainName

"wapcloud.contoso.com" -Port 444 -Server "db02"

6. To set the WAP authentication service FQDN for the tenant portal run the following command.

Set-MgmtSvcRelyingPartySettings –Target Tenant –MetadataEndpoint

'https://wapcloud.contoso.com:444/FederationMetadata/2007-




7. To set the authentication service redirection location to the admin portal run the following command.

Set-MgmtSvcIdentityProviderSettings –Target Membership –

MetadataEndpoint 'https://wapcloud.contoso.com/FederationMetadata/2007-



Verify the WAP modification works. To verify that the modification works do the following:

Pre-requisite: As we don't have a public certificate for our PoC setup we are going to install the CA certificate

on the computers in the Trusted Certificates store from where we will access the WAP Portals.

1. Login to a computer as a user that has WAP Admin Portal access.

2. Start a browser.

3. Type the URL that the WAP Admin Portal was changed to (E.g. https://wapadmin.contoso.com)

Verify that the WAP Admin Portal loads using the new URL

Figure 9: Updated URL in the WAP Admin Portal

4. Verify that the tenant portal works by opening a browser and go to https://wapcloud.contoso.com.

5. During the authentication sign-in process note the redirection to the wapcloud.contoso.com:444

authentication site.

https://wapadmin.contoso.com/


Figure 10: Updated URL in the WAP Tenant Portal

6. Verify that after login the login redirects you back to the WAP Portal.

Figure 11: Updated URL in the WAP Tenant Portal


Summary The goal with this blog post was to show how it's possible to reconfigure portal names, ports and use trusted

certificates after deploying the Windows Azure Pack.

In the blog post we did the following

Created new DNS records

Installed and configured CA Enterprise server

Issued certificates for the WAP Web Services

Change host names, ports and certificates for the WAP Web Services

Updated WAP Database with the new configurations

Verified that the configuration was successful.

In the next three blog posts Shri from the WAP Product team will walk you through how

to configure ADFS with Windows Azure Pack.

Federated Identities to Windows Azure Pack through AD FS – Part 1 of 3 (Coming soon)



Happy building your PoC environment for Windows Azure Pack.

Anders Ravnholt


Federated Identities to Windows Azure Pack

through AD FS – Part 1 of 3

In few of the previous posts, Anders Ravnholt discussed Installation & Configuration of WAP and

Reconfiguration with FQDNs, ports and Trusted Certificates in detail. In this series, I will discuss how to

configure AD FS and enable it to provide Identities to your WAP installation.

Scenario Contoso Inc. is a Service Provider that hosts a private cloud stack and offers Compute resources to their

customers. Contoso wants to install a Windows Azure Pack stack and

1. Provide administrative access to users from its own Active Directory

2. Provide self-service access to the Tenant Portal to users from Fabrikam Corp, one of its customers.

We will run through this scenario in 3 parts:

In this first part of the blog series, we will discuss how Contoso can set up an AD FS instance in their Corp domain.

In the second part, we will discuss how Contoso can set up trust between the AD FS instance and the WAP Admin

Portal and provides its users, access to the Management Portal.

In the third part, we will discuss how Contoso can enable Fabrikam's users to access the Tenant portal by

establishing trust between Fabrikam's AD FS and Contoso's AD FS.





http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/7870.Drawing1_5F00_thumb1_5F00_17565F0E.jpg


Personas Rob is a Fabric Administrator who is responsible for maintaining the infrastructure. Rob was tasked with installing

the Windows Azure Pack Stack for Contoso Inc.

Mary is the Domain administrator for pcloud.contoso.corp domain in Contoso's Active Directory. Mary has

necessary permissions to configure the AD FS linked to the domain.

Alan is a Tenant Administrator who is responsible for Creating and Managing Plans and Subscriptions in Windows

Azure Pack.

Assumptions and Scope

In this scenario, we assume the following about the environment:

Windows Azure Pack is already set up in the pcloud.contoso.corp domain

All the components in the environment have been configured with certificates from a Trusted CA

We also assume the following about you, the reader:

You are familiar with the installation of the Windows Azure Pack. For more information about Windows

Azure Pack deployment, visit http://technet.microsoft.com/en-us/library/dn296432.aspx

You are familiar with some fundamentals of Claims based Authentication (Refer white paper at

http://download.microsoft.com/download/6/F/7/6F7BB9DD-0D65-492F-9180-75A47A520F80/Claims-

Based Authentication in WAP.docx )

You are familiar with AD FS and the AD FS Console. For more information about AD FS visit

http://technet.microsoft.com/en-us/library/hh831502.aspx

This post will not discuss enabling and configuring AD FS using PowerShell. Details about PowerShell

based configuration can be found in the Windows Azure Pack Installation Guide at


Enabling the AD FS Role Mary is the Domain Administrator for the domain ‘pcloud’ which is a domain in the ‘Contoso.corp’ forest. She

has the necessary permissions to add an AD FS instance to the pcloud domain.

1. Mary logs into a machine that is joined to the pcloud domain and which will host the AD FS service.

She enables the AD FS role from the Server Manager by clicking on ‘Manage’ and selecting ‘Add Roles


http://download.microsoft.com/download/6/F/7/6F7BB9DD-0D65-492F-9180-75A47A520F80/Claims-Based%20Authentication%20in%20WAP.docx





and Features’

2. After selecting the local server, she selects ‘Active Directory Federation Services’ from the Server Roles

tab and clicks ‘Next’. The rest of the steps are standard and nothing needs to be changed, so she clicks

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/8880.image_5F00_7DD31955.png


through the wizard and Clicks ‘Finish’. This will install the AD FS instance on the server

Configuring the AD FS server 1. Once Installation completes, Server Manager will show an Exclamation mark in the Notifications to

indicate that the role has not been configured yet. Mary clicks on the notification to open the AD FS

Configuration Wizard. This is the first server in the AD FS farm, so she selects ‘Create the first

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/5672.image_5F00_2434FCA1.png


federation server in a federation server farm’ and moves on to the next step

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/2627.clip_5F00_image002_5F00_39ADF487.jpg


2. She Selects the current user (herself) as the one configuring the farm

3. The next step is to configure the Federation Service Name. Note that this can be different from the

actual AD FS Machine name. This is the name that will be used by other services to reach AD FS.

In this step, Mary also has to provide a certificate for SSL/TLS based access. This certificate needs to be

issued by a trusted Public CA as this is presented to the users when they attempt to login. She already

has a wild card cert for *.pcloud.contoso.com that she can use to configure the AD FS server.

Note: In case a wild card certificate is not available, the certificate subject name should match with the

AD FS Federation Service name

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/1055.image_5F00_71D12921.png


http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/7024.clip_5F00_image006_5F00_002AE490.jpg


4. In the Specify Database Step, Mary decides which database to use to store AD FS install. She can either

use a Windows Internal Database or a SQL Server.

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/3113.clip_5F00_image008_5F00_34CB40CB.jpg


5. Once all the options are reviewed, she clicks on ‘Configure’ to configure AD FS

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/8422.clip_5F00_image010_5F00_091A76CF.jpg


6. That’s it! the pcloud domain now has an AD FS instance that is associated with it and can be used

to provide administrative users to the WAP installation

You can find more information about AD FS at http://technet.microsoft.com/en-us/library/hh831502.aspx

Visit Part 2 of this blog series for a walkthrough on how Contoso uses this AD FS instance to provide Admin

identities to WAP.

Visit Part 3 of this blog series for a walk through on how Contoso uses this AD FS instance to federate with

Fabrikam’s AD through a Fabrikam AD FS to provide tenant Identities to WAP




http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/1172.clip_5F00_image012_5F00_24BF02C5.jpg











In the first part of this blog series, we discussed how Contoso can set up an AD FS Farm in their Corp domain

pcloud.contoso.corp.

In this second part, we will discuss how Contoso can set up trust between the AD FS instance and the WAP Admin

Portal and provides its users, access to the Management Portal.

In the third part, we will discuss how Contoso can enable Fabrikam's users to access the Tenant portal by

establishing trust between Fabrikam's AD FS and Contoso's AD FS.





http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/5483.Drawing1_5F00_32FE22D8.jpg


Personas Rob is a Fabric Administrator who is responsible for maintaining the infrastructure. Rob was tasked with installing

the Windows Azure Pack Stack for Contoso Inc.



Alan is a Tenant Administrator who is responsible for Creating and Managing Plans and Subscriptions in Windows

Azure Pack.

Scope

In this scenario, we assume the following about the environment:


AD FS is enabled and configured for the pcloud.contoso.corp domain

Alan has a user id in the pcloud.contoso.corp domain



o You are familiar with the installation of the Windows Azure Pack. For more information about

Windows Azure Pack deployment, visit http://technet.microsoft.com/en-

us/library/dn296432.aspx

o You are familiar with some fundamentals of Claims based Authentication (Refer white paper at

http://download.microsoft.com/download/6/F/7/6F7BB9DD-0D65-492F-9180-

75A47A520F80/Claims-Based Authentication in WAP.docx )

o You are familiar with setting up AD FS and the AD FS Console. For more information about AD

FS visit http://technet.microsoft.com/en-us/library/hh831502.aspx

This post will describe, how to perform the scenario using the AD FS Console

This post will not talk about performing the scenarios using AD FS PowerShell

Federating AD FS with WAP In Order to enable AD FS to provide Identities with WAP, configurations need to happen in two places:

1. Mary, who is the domain administrator, needs to add the WAP Admin Portal as a Relying Party with AD

FS. This is to let AD FS know that the Admin portal will be requesting identities from it

2. Rob, who has access to the infrastructure, needs to configure the WAP Admin Portal to forward users

to AD FS to get their identities validated.







AD FS Configuration

1. Mary opens the AD FS Console, from either the Server Manager, or by adding the AD FS snapin from

the mmc console

2. On the AD FS console, selects “Relying Party Trusts” and clicks on “Add Relying Party Trust” from

the Actions sidebar to open the “Add Relying Party Trust Wizard”

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/0285.image_5F00_19961F9E.png


3. In the Select Data Source step, Mary points the wizard to pick up federation metadata settings from

the WAP admin Portal. The federation metadata file can usually be found at

https://<adminPortalUri>/federationmetadata/2007-06/federationmetadata.xml


Alternatively, this metadata file can also be downloaded from the above location and imported into the

wizard from a file


4. She specifies a friendly display name for the Admin Portal and clicks Next

5. The remaining steps in the wizard deals with configuring Multifactor Authentication, Issuance

Authorization rules etc which are not currently needed for this scenario and so she leaves them as is


with the default values and completes the wizard

6. Once the Relying Party has successfully been added, Mary will have to configure the Claim

Transformation Rules so that ADFS is aware of what claims to send to the particular relying party, in

this case, the WAP Admin Portal. The WAP portals can understand two kinds of Claims, UPN and

Group Claims. So there are four rules that have to be created in ADFS to issue these claims

7. In the “Add Transform Claim rule Wizard” , the Claim rule template should be selected as "”Send

LDAP Attributes as Claims” and click Next


In the next step, Mary provides a Friendly rule name and selects the Attribute store as Active Directory

and in the Mapping table, maps User-Principal-Name to UPN outgoing claim.


A similar process is repeated for adding Group Claims. Select Token-Groups – Qualified by Domain

to map to Group outgoing claim


8. In some cases a UPN might already be available to AD FS. To handle these scenarios, there are two

additional rules that need to be added to flow the UPN claims through as-is. In the “Add Transform

Claim rule Wizard” select, “Pass Through or Filter an Incoming Claim”


in the next step, she provides a friendly name to the rule, and specifies the Incoming Claim Type as

UPN and clicks Finish

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/1817.image_5F00_1A8CB62B.png


A similar process is repeated for the Group Claim


http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/0550.image_5F00_33BFEA0D.png


9. Now that all four rules are added for this relying party, she finally clicks on Apply and is done with the

Claim Transformation Rules

10. Now that this is done, as the final step, Mary has to enable JWT tokens for the Relying Party. This

cannot be done via UI and so she opens up a PowerShell window and verifies the settings of the

Relying Party that was just added. The command is as below

1: Get-AdfsRelyingPartyTrust -Name "WAP Admin Portal"


11. She notes down the Identifier for the relying Party which is typically “http://azureservices/AdminSite”

and confirms that the EnableJWT value is set to False. This now needs to be set to true to enable JWT

tokens. She uses the cmd below to do this

1: Set-AdfsRelyingPartyTrust -TargetIdentifier 'http://azureservices/AdminSite' -

EnableJWT $true

http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/4786.image_5F00_15544B7B.png


With that, the AD FS side of things is done and ready to go!

WAP Configuration

Once Mary is done configuring AD FS, Rob, the fabric administrator, can now come in and configure the WAP

Admin Portal to add AD FS as the Identity Provider. Rob will also have to give Alan permissions to Administer

Plans and subscriptions and maintain the WAP stack.

1. Rob logs on to the machine where WAP is installed, and runs the following PowerShell

1: $fqdn = 'adfs.pcloud.contoso.corp'

2: $dbServer = 'ContosoWAP'

3: $dbPassword = 'pass@word1'

4: $portalConfigStoreConnectionString = [string]::Format('Data Source={0};Initial

Catalog=Microsoft.MgmtSvc.PortalConfigStore;User ID=sa;Password={1}', $dbServer,

$dbPassword)

5:

6: Set-MgmtSvcRelyingPartySettings -Target Admin `

7: -MetadataEndpoint https://$fqdn/FederationMetadata/2007-

06/FederationMetadata.xml `

8: -ConnectionString $portalConfigStoreConnectionString

the $fqdn variable refers to the Federation Service Name of AD FS

2. The only thing left to do is to give Alan permissions to access the Admin portal. ie. add him as an

administrator. This can be done by the following PowerShell command

Note: The name specified in the Principal parameter should match exactly with the UPN that is

supplied by AD FS.




Catalog=Microsoft.MgmtSvc.Store;User ID=sa;Password={1}', $dbServer, $dbPassword)

4:

5: Add-MgmtSvcAdminUser -Principal [email protected] -ConnectionString

$portalConfigStoreConnectionString

3. Now Alan can sign in with his credentials to the Admin Portal


That’s it! Alan can take over from here and administer Windows Azure Pack .

In the next part, we will take a look at the tenant side of things and how to federate Fabrikam’s AD FS with

Contoso to provide tenant identities.











We will run through this scenario in 3 parts:

In the first part of this blog series, we discussed how Contoso can set up an AD FS Farm in their Corp domain

pcloud.contoso.corp.

In the second part, we discussed how Contoso can set up trust between the AD FS instance and the WAP

Admin Portal and provides its users, access to the Management Portal.

In this third part, we will discuss how Contoso can enable Fabrikam's users to access the Tenant portal by

establishing trust between Fabrikam's AD FS and Contoso's AD FS and Contoso's AD FS and the WAP Tenant

Portal.






Personas Rob is a Fabric Administrator who is responsible for maintaining the infrastructure. Rob was tasked with

installing the Windows Azure Pack Stack for Contoso Inc.



George is the domain administrator of Fabrikam.corp domain. He has the necessary credentials to federate

Fabrikam's AD FS with Contoso's AD FS.

Assumptions and Scope In this post, the following are the assumptions about the environment:


AD FS is enabled and configured for the pcloud.contoso.corp domain

AD FS is enabled and configured for the Fabrikam.corp domain


Both Contoso and Fabrikam have setup the necessary DNS routing to talk to each other


You are familiar with the installation of the Windows Azure Pack. For more information about Windows

Azure Pack deployment, visit http://technet.microsoft.com/en-us/library/dn296432.aspx

You are familiar with some fundamentals of Claims based Authentication (Refer white paper at

http://download.microsoft.com/download/6/F/7/6F7BB9DD-0D65-492F-9180-75A47A520F80/Claims-

Based Authentication in WAP.docx )

You are familiar with setting up AD FS and the AD FS Console. For more information about AD FS visit


This post will describe, how to perform the scenario using the AD FS Console

This post will not talk about performing the scenarios using AD FS PowerShell

Overview of Scenario Before I move on to explain how federation is established, I would like to give you an overview of the steps that

need to be completed to get this working.

1. Add the WAP Tenant Portal as a Relying Party to Contoso's AD FS

This is done so that the AD FS knows that the Tenant Portal will be relying on it to provide

authenticated Identities. This process has been explained in the second part of the blog series in the

context of the Admin Portal.

2. Add Contoso's AD FS as Claims Provider to the WAP tenant Portal

This is done so that the Tenant Portal knows that AD FS is the entity that provides User Claims and that






the users will have to authenticate against it. This process has been explained in the second part of the

blog series in the context of the Admin Portal.

A similar relationship exists between Contoso's AD FS and Fabrikam's AD FS,

1. Add Contoso's AD FS as a Relying Party to Fabrikam's AD FS

This is done so that Fabrikam's AD FS knows that Contoso's AD FS will rely on it to authenticate users

within its own realm

2. Add Fabrikam's AD FS as a Claims Provider to Contoso's AD FS

This is done to tell Contoso's ADFS that it can trust Fabrikam's AD FS and that it will be one of the

trusted Claims Providers in the Federation Chain


All four of these steps have to be completed for the proper trusts to be established and enable users to login to

the system.

Establish trust between Contoso's AD FS and

WAP Tenant Portal

Adding a WAP Tenant Portal as a Relying Party to Contoso's AD FS This process has already been explained in the second part of the blog series in the context of the Admin

portal. We will go over it again here briefly.

Mary, Contoso's Domain Administrator, has to add the WAP Tenant Portal as a relying party with AD FS which

tells AD FS that the Tenant Portal will be looking to get tokens from it. To do that Mary kicks off the "Add

Relying party trust Wizard" from the AD FS Console


She enters the federation metadata information for the WAP Tenant Portal which is typically

<https://<<tenant portal url>>/federationmetadata/2007-06/federationmetadata.xml


Mary provides a friendly name for the Tenant Portal and proceeds with the rest of the wizard leaving default

values.


http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/5518.clip_5F00_image0444_5F00_59273AFF.jpg




Now Mary adds Claim Transformation Rules to the Tenant Portal, similar to the ones added to the Admin Portal

(per the second part of this blog series).

Additionally, she ensures that the Tenant portal gets JWT Claims by using the Set-ADFSRelyingPartyTrust

cmdlet. (Again, per the second part of this blog series)

1: Set-AdfsRelyingPartyTrust -TargetIdentifier 'http://azureservices/TenantSite' -EnableJWT

$true

Adding Contoso's AD FS as a Claims Provider to

the Tenant Portal Rob, who is the Fabric Administrator, logs on to the WAP box to complete the second half of this handshake.

He runs the following script on the WAP Tenant Portal to let the Portal know it needs to Rely on AD FS for

identities

1: $fqdn = 'adfs.pcloud.contoso.corp'




Catalog=Microsoft.MgmtSvc.PortalConfigStore;User ID=sa;Password={1}', $dbServer, $dbPassword)

5:

6: Set-MgmtSvcRelyingPartySettings -Target Tenant `

7: -MetadataEndpoint https://$fqdn/FederationMetadata/2007-06/FederationMetadata.xml `

8: -ConnectionString $portalConfigStoreConnectionString

Add Fabrikam's AD FS as Claims Provider to

Contoso's AD FS




1. Mary, the Domain Administrator for the pcloud.contoso.corp domain opens the AD FS console and

clicks "Add Claims Provider Trust" from the Actions pane on the right.

2. In the Select Data Source screen, she enters the address to the Federation Metadata information of

Fabrikam's AD FS. It is typically https:// <adfs federation servicename>/federationmetadata/2007-

06/federationmetadata.xml

Alternatively, the file can also be downloaded from the above location and imported into the wizard


http://blogs.technet.com/cfs-file.ashx/__key/communityserver-blogs-components-weblogfiles/00-00-00-85-24-metablogapi/0068.clip_5F00_image0044_5F00_6D1BAC33.jpg




3. The next step is to provide a friendly name for the Fabrikam AD FS. For easy identification, let's call it,

well, Fabrikam AD FS

4. The remaining steps in the wizard deals with configuring Multifactor Authentication, Issuance

Authorization rules etc which are not currently needed for this scenario and so she leaves them as is

with the default values and completes the wizard. In the final step, Mary ensures that the "Open the


Edit Claim Rules dialog.." checkbox is checked and clicks "Close"

5. In the "Add Transform Claim rule Wizard" , the Claim rule template should be selected as ""Send

LDAP Attributes as Claims" and click Next


In the next step, Mary provides a Friendly rule name and selects the Attribute store as Active Directory



A similar process is repeated for adding Group Claims. Select Token-Groups – Qualified by Domain




additional rules that need to be added to flow the UPN claims through as-is. In the "Add Transform

Claim rule Wizard" select, "Pass Through or Filter an Incoming Claim"


in the next step, she provides a friendly name to the rule, and specifies the Incoming Claim Type as

UPN and clicks Finish


Mary clicks on Yes in the AD FS Management Popup


7. Now that all four rules are added for this relying party, she finally clicks on Apply and is done with the


8. Once this is done Mary needs to ensure that when users are redirected to the ADFS from the WAP

Tenant Portal, they should be taken directly to Fabrikam’s AD FS page for authentication. This is done

by the following cmdlet

1: Set-AdfsRelyingPartyTrust -TargetName "WAP Tenant Portal" -ClaimsProviderName

@("Fabrikam AD FS")

Adding Contoso AD FS as a Relying Party to

Fabrikam's AD FS

To complete the second part of the handshake, George, who is the Domain Administrator for Fabrikam should

add Contoso's AD FS as a Relying Party. This is the same process as adding a Claims Provider and has pretty

much the same set of steps:


1. Enters the location to the Federation metadata of Contoso's AD FS


2. Specifies a friendly name to the registered Relying Party


3. Clicks through the rest of the wizard by choosing appropriate values or the default ones depending on

his preferences. On completing the wizard, he is shown the 'Add Transform Claim Rule Wizard'

4. In the "Add Transform Claim rule Wizard" , the Claim rule template should be selected as ""Send

LDAP Attributes as Claims" and click Next


5. In the next step, he provides a Friendly rule name and selects the Attribute store as Active Directory



6. A similar process is repeated for adding Group Claims. Select Token-Groups – Qualified by Domain




additional rules that need to be added to flow the UPN claims through as-is. In the "Add Transform

Claim rule Wizard" select, "Pass Through or Filter an Incoming Claim"


8. In the next step, he provides a friendly name to the rule, and specifies the Incoming Claim Type as UPN

and clicks Finish


9. Now that all four rules are added for this relying party, he finally clicks on Apply and is done with the


10. Once this is done, George needs to ensure that JWT tokens are issued to Contoso's AD FS. This is done

by the following Powershell

1: Set-ADFSRelyingPartyTrust -TargetIdentifier

http://adfs.pcloud.contoso.corp/adfs/services/trust -EnableJWT $true


11. That’s it! Now when users access the Tenant Portal, they will be redirected to

Contoso AD FS which will then redirect them to Fabrikam AD FS. The Fabrikam

AD FS will then authenticate the user

12. Once authenticated, users will be redirected all the way back to the WAP Tenant Portal to access their

resources!


Windows Azure Pack blog posts on Building

Clouds & TechNet You might be thinking, that was a lot of Windows Azure Packs blog posts going out on Building Clouds over

the past two months, what's going on?

You are right, there has been a lot of blog posts about WAP or its related components. In November and

December we released over 30 blog posts on Building Clouds and System Center blog to help our readers

familiarize them self with this new technology from Microsoft.

For the same reason you might also be looking for a nice overview on TechNet where you can navigate through

the different blog posts.

This blog post is designed to bring you exactly that.

Windows Azure Pack Introduction, Overview

and Concepts

Name Blog Date Author

What's New in 2012 R2: IaaS Innovations

In the

Cloud

31-07-

2013

Brad

Anderson

What's New in 2012 R2: Service Provider & Tenant IaaS

Experience

In the

Cloud

01-08-

2013

Brad

Anderson

What You Have to Gain from Cloud-based Financial

Management IT

In the

Cloud

22-10-

2013

Brad

Anderson

What's New in 2012 R2: Enabling Modern Apps with the

Windows Azure Pack

In the

Cloud

21-08-

2013

Brad

Anderson

What's New in 2012 R2: PaaS for the Modern Web

In the

Cloud

28-08-

2013

Brad

Anderson

Table of Contents: Success with Hybrid Cloud

In the

Cloud

12-11-

2013

Brad

Anderson

http://blogs.technet.com/b/in_the_cloud/archive/2013/07/31/what-s-new-in-2012-r2-iaas-innovations.aspx

http://blogs.technet.com/b/in_the_cloud/


http://blogs.technet.com/BradAnderson/ProfileUrlRedirect.ashx


http://blogs.technet.com/b/in_the_cloud/archive/2013/08/01/what-s-new-in-2012-r2-service-provider-amp-tenant-iaas-experience.aspx

http://blogs.technet.com/b/in_the_cloud/archive/2013/08/01/what-s-new-in-2012-r2-service-provider-amp-tenant-iaas-experience.aspx











http://blogs.technet.com/b/in_the_cloud/archive/2013/08/21/what-s-new-in-2012-r2-enabling-modern-apps-with-the-windows-azure-pack.aspx

http://blogs.technet.com/b/in_the_cloud/archive/2013/08/21/what-s-new-in-2012-r2-enabling-modern-apps-with-the-windows-azure-pack.aspx





http://blogs.technet.com/b/in_the_cloud/archive/2013/08/28/what-s-new-in-2012-r2-paas-for-the-modern-web.aspx





http://blogs.technet.com/b/in_the_cloud/archive/2013/11/12/table-of-contents-success-with-hybrid-cloud.aspx






Windows Azure Pack & Installing and

Configuring


Windows Azure Pack - Installing & Configuring Series.

Building

Clouds

06-12-

2013

Anders

Ravnholt

Windows Azure Pack - Reconfigure portal names, ports

and use trusted certificates

Building

Clouds

10-12-

2013

Anders

Ravnholt

Adding an already running VM in Virtual Machine

Manager to a Windows Azure Pack Subscription

Building

Clouds

05-12-

2013

Anders

Ravnholt

Application Management - System Center and the Web

Platform Installer (WebPI)

Building

Clouds

30-08-

2013

Shawn Gibbs

[MSFT]

Windows Azure Pack & Service Provider

Foundation (SPF)


Troubleshooting Windows Azure Pack, SPF &

VMM

Building

Clouds

06-12-

2013

Anders

Ravnholt

Configuring Portals for Service Provider

Foundation

TechNet 01-11-2013 Microsoft

Service Provider Foundation Developer's Guide TechNet 01-11-2013 Microsoft




http://blogs.technet.com/Anders%20Ravnholt%20%5bMSFT%5d/ProfileUrlRedirect.ashx








http://blogs.technet.com/b/privatecloud/archive/2013/12/05/adding-an-already-running-vm-in-virtual-machine-manager-to-a-wap-subscription.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/12/05/adding-an-already-running-vm-in-virtual-machine-manager-to-a-wap-subscription.aspx





http://blogs.technet.com/b/privatecloud/archive/2013/08/30/application-management-system-center-and-the-web-platform-installer-webpi.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/08/30/application-management-system-center-and-the-web-platform-installer-webpi.aspx



http://blogs.technet.com/sgibbs/ProfileUrlRedirect.ashx

http://blogs.technet.com/sgibbs/ProfileUrlRedirect.ashx

http://blogs.technet.com/b/privatecloud/archive/2013/11/08/troubleshooting-windows-azure-pack-spf-amp-vmm.aspx








http://technet.microsoft.com/


http://msdn.microsoft.com/en-us/library/jj643273.aspx




Windows Azure Pack & Service

Management Automation (SMA)


Using the Service Management Automation feature of

Orchestrator in System Center 2012 R2

Orchestrator

29-10-

2013

Eamon O

Reilly

Service Management Automation: Integrating into the

OData web service

Orchestrator

11-12-

2013

Eamon O

Reilly

Service Management Automation: Monitoring and

Troubleshooting Your Runbooks

Orchestrator

13-11-

2013

Chris Sanders

MS

SMA capabilities in depth – Runbook Tasks (library,

configuration, starting, scheduling, creation and

tagging)

Orchestrator

09-12-

2013

Justin

Incarnato

Service Management Automation: Portable Modules –

What, Why, and How

Orchestrator

04-11-

2013 Joe Levy_

Automation–An Introduction to Service Management

Automation

Building

Clouds

09-08-

2013

Jim Britt

[MSFT]

Automation–Service Management Automation Runbook

Spotlight–Getting Started with SMA Runbooks

Building

Clouds

14-08-

2013

Jim Britt

[MSFT]


Spotlight–Exchange Distribution List Creation

Building

Clouds

15-08-

2013

Jim Britt

[MSFT]

Automation–Service Management Automation

Tip/Trick–Leveraging InlineScript and $Using:Variable

with PowerShell Workflow

Building

Clouds

27-08-

2013

Jim Britt

[MSFT]


Spotlight–Virtual Machine Startup by Priority (Part 1)

Building

Clouds

21-08-

2013

Charles Joy

[MSFT]


Spotlight–Virtual Machine Startup by Priority (Part 1.5)

Building

Clouds

27-08-

2013

Charles Joy

[MSFT]

Automation–Service Management Automation–Utility

Runbook Spotlight–VMM Custom Property

Management

Building

Clouds

27-08-

2013

Charles Joy

[MSFT]


Spotlight–Virtual Machine Startup by Priority (Part 2)

Building

Clouds

29-08-

2013

Charles Joy

[MSFT]

http://blogs.technet.com/b/orchestrator/archive/2013/10/29/using-the-service-management-automation-feature-of-orchestrator-in-system-center-2012-r2.aspx


http://blogs.technet.com/b/orchestrator/

http://blogs.technet.com/Eamon%20O%20Reilly/ProfileUrlRedirect.ashx


http://blogs.technet.com/b/orchestrator/archive/2013/12/11/service-management-automation-integrating-into-the-odata-web-service.aspx

http://blogs.technet.com/b/orchestrator/archive/2013/12/11/service-management-automation-integrating-into-the-odata-web-service.aspx




http://blogs.technet.com/b/orchestrator/archive/2013/11/13/service-management-automation-monitoring-and-troubleshooting-your-runbooks.aspx



http://blogs.technet.com/225958/ProfileUrlRedirect.ashx


http://blogs.technet.com/b/orchestrator/archive/2013/12/09/sma-capabilities-in-depth-runbook-tasks-library-configuration-starting-scheduling-creation-and-tagging.aspx




http://blogs.technet.com/Justin%20Incarnato/ProfileUrlRedirect.ashx

http://blogs.technet.com/Justin%20Incarnato/ProfileUrlRedirect.ashx

http://blogs.technet.com/b/orchestrator/archive/2013/11/04/service-management-automation-portable-modules-what-why-and-how.aspx

http://blogs.technet.com/b/orchestrator/archive/2013/11/04/service-management-automation-portable-modules-what-why-and-how.aspx



http://blogs.technet.com/b/privatecloud/archive/2013/08/09/automation-an-introduction-to-service-management-automation.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/08/09/automation-an-introduction-to-service-management-automation.aspx



http://blogs.technet.com/Jim%20Britt%20%5bMSFT%5d/ProfileUrlRedirect.ashx








http://blogs.technet.com/b/privatecloud/archive/2013/08/15/automation-service-management-automation-runbook-spotlight-exchange-distribution-list-creation.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/08/15/automation-service-management-automation-runbook-spotlight-exchange-distribution-list-creation.aspx





http://blogs.technet.com/b/privatecloud/archive/2013/08/27/automation-service-management-automation-tip-trick-leveraging-inlinescript-and-using-variable-with-powershell-workflow.aspx







http://blogs.technet.com/b/privatecloud/archive/2013/08/21/automation-service-management-automation-runbook-spotlight-virtual-machine-startup-by-priority-part-1.aspx




http://blogs.technet.com/Charles%20Joy%20%5bMSFT%5d/ProfileUrlRedirect.ashx


http://blogs.technet.com/b/privatecloud/archive/2013/08/23/automation-service-management-automation-runbook-spotlight-virtual-machine-startup-by-priority-part-1-5.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/08/23/automation-service-management-automation-runbook-spotlight-virtual-machine-startup-by-priority-part-1-5.aspx





http://blogs.technet.com/b/privatecloud/archive/2013/08/27/automation-service-management-automation-utility-runbook-spotlight-vmm-custom-property-management.aspx














Automation – Fun with Orchestrator and SMA

integration points

Building

Clouds

12-12-

2013

Charles Joy

[MSFT]

Calling an Orchestrator Runbook from SMA – Part 1

Building

Clouds

01-12-

2013

Tiander

Turpijn [MSFT]

Calling an Orchestrator Runbook from SMA – Part 2

Building

Clouds

11-12-

2013

Tiander

Turpijn [MSFT]

Orchestrated offline VM Patching using Service

Management Automation

Building

Clouds

07-12-

2013

Thomas

Roettinger

Windows Azure Pack & Gallery Items and

VM Roles


Windows Azure Pack VMRole Gallery Items for

Collaboration Workloads

Building

Clouds

11-12-

2013

Michael

Greene

VMRole Gallery Item – Exchange Server 2013

Building

Clouds

11-12-

2013

Michael

Greene

VMRole Gallery Item – SharePoint Server 2013

Building

Clouds

11-12-

2013

Michael

Greene

VMRole Gallery Item – Lync Server 2013

Building

Clouds

11-12-

2013

Michael

Greene

Virtual Machine Role Example Kit

Building

Clouds

11-12-

2013

Michael

Greene

VMRole Guide for the Service Template Admin

Building

Clouds

11-12-

2013

Michael

Greene

Troubleshooting Windows Azure Pack & Gallery Items

(VM Roles) (Part 1)

Building

Clouds

25-11-

2013

Anders

Ravnholt

Troubleshooting Windows Azure Pack and Gallery Items

(Part 2)

Building

Clouds

27-11-

2013

Anders

Ravnholt

Application Management - Virtual Hard Disk

Requirements of Windows Azure Pack Gallery Items

Building

Clouds

26-10-

2013

Kurt Scherer

[MSFT]

http://blogs.technet.com/b/privatecloud/archive/2013/12/12/automation-fun-with-orchestrator-and-sma-integration-points.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/12/12/automation-fun-with-orchestrator-and-sma-integration-points.aspx





http://blogs.technet.com/b/privatecloud/archive/2013/11/01/calling-an-orchestrator-runbook-from-sma-part-1.aspx



http://blogs.technet.com/Tiander%20Turpijn%20%5bMSFT%5d/ProfileUrlRedirect.ashx


http://blogs.technet.com/b/privatecloud/archive/2013/12/11/calling-an-orchestrator-runbook-from-sma-part-2.aspx





http://blogs.technet.com/b/privatecloud/archive/2013/12/07/orchestrated-vm-patching.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/12/07/orchestrated-vm-patching.aspx



http://blogs.technet.com/Thomas%20Roettinger%20%5bMSFT%5d/ProfileUrlRedirect.ashx

http://blogs.technet.com/Thomas%20Roettinger%20%5bMSFT%5d/ProfileUrlRedirect.ashx

http://blogs.technet.com/b/privatecloud/archive/2013/12/11/building-clouds-blog-windows-azure-pack-vmrole-gallery-items.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/12/11/building-clouds-blog-windows-azure-pack-vmrole-gallery-items.aspx



http://blogs.technet.com/Michael%20Greene/ProfileUrlRedirect.ashx


http://blogs.technet.com/b/privatecloud/archive/2013/12/11/vmrole-gallery-item-exchange-server-2013.aspx





http://blogs.technet.com/b/privatecloud/archive/2013/12/11/vmrole-gallery-item-sharepoint-server-2013.aspx





http://blogs.technet.com/b/privatecloud/archive/2013/12/11/vmrole-gallery-item-lync-server-2013.aspx





http://blogs.technet.com/b/privatecloud/archive/2013/12/11/virtual-machine-role-example-kit.aspx





http://blogs.technet.com/b/privatecloud/archive/2013/12/11/how-we-developed-vmrole-gallery-items-from-service-templates.aspx





http://blogs.technet.com/b/privatecloud/archive/2013/11/25/troubleshooting-windows-azure-pack-amp-gallery-items-vm-roles-part-1.aspx






http://blogs.technet.com/b/privatecloud/archive/2013/11/27/troubleshooting-windows-azure-pack-and-gallery-items-part-2.aspx






http://blogs.technet.com/b/privatecloud/archive/2013/10/25/application-management-virtual-hard-disk-requirements-of-windows-azure-pack-gallery-items.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/10/25/application-management-virtual-hard-disk-requirements-of-windows-azure-pack-gallery-items.aspx



http://blogs.technet.com/Kurt-Scherer-_5B00_MSFT_5D00_/ProfileUrlRedirect.ashx



Windows Azure Pack & Web Sites


Application Management - Service Models Web

Platform Installer Gallery

Building Clouds

26-10-

2012

Kurt Scherer

[MSFT]

Offlining Web Application Gallery Feed for

Windows Azure Pack

Building Clouds

06-12-

2013 Shriram [MSFT]

Leveraging IaaS and PaaS with Windows Azure

Pack and System Center 2012 R2

Virtual Machine

Manager

06-11-

2013 J.C. Hornbeck

Windows Azure Pack & Plan and

Subscriptions


How to Create a Basic Plan Using the Service

Administration Portal

Building

Clouds

01-08-

2013

Ranganathan

Srikanth

Troubleshooting Windows Azure Pack - Plans and

Subscriptions

Building

Clouds

02-12-

2013 Anders Ravnholt

Windows Azure Pack & Usage and Billing


How to Integrate Your Billing System with the Usage

Metering System

Building

Clouds

06-12-

2013

Ranganathan

Srikanth

http://blogs.technet.com/b/privatecloud/archive/2013/10/25/application-management-service-models-web-platform-installer-gallery.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/10/25/application-management-service-models-web-platform-installer-gallery.aspx




http://blogs.technet.com/b/privatecloud/archive/2013/11/26/off-lining-web-application-gallery-feed-for-windows-azure-pack.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/11/26/off-lining-web-application-gallery-feed-for-windows-azure-pack.aspx



http://blogs.technet.com/b/scvmm/archive/2013/11/06/leveraging-iaas-and-paas-with-windows-azure-pack-and-system-center-2012-r2.aspx

http://blogs.technet.com/b/scvmm/archive/2013/11/06/leveraging-iaas-and-paas-with-windows-azure-pack-and-system-center-2012-r2.aspx

http://blogs.technet.com/b/scvmm/

http://blogs.technet.com/b/scvmm/

http://social.technet.microsoft.com/profile/j.c.%20hornbeck/

http://blogs.technet.com/b/systemcenter/archive/2013/08/01/how-to-create-a-basic-iaas-offer-in-the-service-administration-portal.aspx

http://blogs.technet.com/b/systemcenter/archive/2013/08/01/how-to-create-a-basic-iaas-offer-in-the-service-administration-portal.aspx



http://blogs.technet.com/Ranganathan%20Srikanth/ProfileUrlRedirect.ashx


http://blogs.technet.com/b/privatecloud/archive/2013/12/02/troubleshooting-windows-azure-pack-amp-plans-and-subscriptions.aspx





http://blogs.technet.com/b/systemcenter/archive/2013/08/01/how-to-integrate-your-billing-system-with-the-usage-metering-system.aspx

http://blogs.technet.com/b/systemcenter/archive/2013/08/01/how-to-integrate-your-billing-system-with-the-usage-metering-system.aspx






IaaS Usage and Service Reporting using System

Center 2012 R2 and Windows Azure Pack

Building

Clouds

27-08-


Configuring VMM and OM for IaaS usage and

metering.

Building

Clouds

27-09-


Configuring SPF and Windows Azure Pack for IaaS

usage and metering.

Building

Clouds

01-10-


Installing & configuring Service Reporting for IaaS

usage and metering

Building

Clouds

11-10-


Troubleshooting Windows Azure Pack & Usage (Part

1)

Building

Clouds

20-11-


Troubleshooting Windows Azure Pack & Usage (Part

2)

Building

Clouds

21-11-


Windows Azure Pack & Identity and ADFS


Federated Identities to Windows Azure Pack through

AD FS – Part 1 of 3

Building

Clouds

17-12-

2013

Shriram

[MSFT]



Building

Clouds

17-12-

2013

Shriram

[MSFT]



Building

Clouds

18-12-

2013

Shriram

[MSFT]

Windows Azure Pack & Networking


Software Defined Networking – Hybrid Clouds using

Hyper-V Network Virtualization (Part 1)

Building

Clouds

20-11-

2013

Nader

Benmessaoud






http://blogs.technet.com/b/privatecloud/archive/2013/09/27/configuring-vmm-and-om-for-iaas-usage-and-metering.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/09/27/configuring-vmm-and-om-for-iaas-usage-and-metering.aspx




http://blogs.technet.com/b/privatecloud/archive/2013/09/30/configuring-spf-and-windows-azure-pack-for-iaas-usage-and-metering.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/09/30/configuring-spf-and-windows-azure-pack-for-iaas-usage-and-metering.aspx




http://blogs.technet.com/b/privatecloud/archive/2013/10/11/installing-amp-configuring-service-reporting-for-iaas-usage-and-metering.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/10/11/installing-amp-configuring-service-reporting-for-iaas-usage-and-metering.aspx




http://blogs.technet.com/b/privatecloud/archive/2013/11/20/troubleshooting-windows-azure-pack-amp-usage-part-1.aspx




























http://blogs.technet.com/b/privatecloud/archive/2013/11/20/hyper-v-network-virtualization-architecture-and-key-concepts.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/11/20/hyper-v-network-virtualization-architecture-and-key-concepts.aspx



http://blogs.technet.com/Nader%20Benmessaoud%20%5bMSFT%5d/ProfileUrlRedirect.ashx





Building

Clouds

21-11-

2013

Nader

Benmessaoud



Building

Clouds

28-11-

2013

Nader

Benmessaoud

Windows Azure Pack & Troubleshooting


Troubleshooting Installation & Configuration of

Windows Azure Pack – An Introduction

Building

Clouds

05-11-

2013

Anders

Ravnholt

Troubleshooting Installation of Windows Azure Pack

Building

Clouds

06-11-

2013

Anders

Ravnholt

Troubleshooting Windows Azure Pack, SPF & VMM

Building

Clouds

08-11-

2013

Anders

Ravnholt

Troubleshooting Windows Azure Pack & Usage (Part 1)

Building

Clouds

20-11-

2013

Anders

Ravnholt

Troubleshooting Windows Azure Pack & Usage (Part 2)

Building

Clouds

21-11-

2013

Anders

Ravnholt

Troubleshooting Windows Azure Pack & Gallery Items

(VM Roles) (Part 1)

Building

Clouds

25-11-

2013

Anders

Ravnholt

Troubleshooting Windows Azure Pack and Gallery

Items (Part 2)

Building

Clouds

27-11-

2013

Anders

Ravnholt

Troubleshooting Windows Azure Pack - Plans and

Subscriptions

Building

Clouds

02-12-

2013

Anders

Ravnholt

Service Management Automation: Monitoring and

Troubleshooting Your Runbooks

Orchestrator

13-11-

2013

Chris Sanders

MS

General Troubleshooting List for Windows Azure Pack

(WAP) and SPF Integration

Orchestrator

12-11-

2013 J.C. Hornbeck

http://blogs.technet.com/b/privatecloud/archive/2013/11/21/software-defined-networking-hybrid-clouds-using-hyper-v-network-virtualization-part-2.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/11/21/software-defined-networking-hybrid-clouds-using-hyper-v-network-virtualization-part-2.aspx





http://blogs.technet.com/b/privatecloud/archive/2013/11/28/software-defined-networking-hybrid-cloud-using-hyper-v-network-virtualization.aspx

http://blogs.technet.com/b/privatecloud/archive/2013/11/28/software-defined-networking-hybrid-cloud-using-hyper-v-network-virtualization.aspx











http://blogs.technet.com/b/privatecloud/archive/2013/11/06/troubleshooting-installation-and-configuration-of-windows-azure-pack.aspx











































http://blogs.technet.com/b/scvmm/archive/2013/11/12/general-troubleshooting-list-for-windows-azure-pack-wap-and-spf-integration.aspx

http://blogs.technet.com/b/scvmm/archive/2013/11/12/general-troubleshooting-list-for-windows-azure-pack-wap-and-spf-integration.aspx


http://social.technet.microsoft.com/profile/j.c.%20hornbeck/


Windows Azure Pack & Extending and

Customization


Sample Billing Adapter Code for Windows Azure Pack

Building

Clouds

11-12-

2013

Kandavel

KR

Sample Portal Code based on Windows Azure Pack, Service

Provider Foundation and Virtual Machine Manager

Building

Clouds

28-11-

2013

Kandavel

KR

Windows Azure Pack Developers Kit TechNet

15-11-

2013 Microsoft

Navigating The Hello World Custom Resource Provider

Sample

TechNet

15-11-

2013 Microsoft

Windows Azure Pack Wiki


Windows Azure Pack (WAP) and Related Blogs, Videos

and TechNet Articles

TechNet

30-10-

2013 Community

Hyper-v.nu

Partner

blog

30-10-

2013

Hans

Vredevoort

Peter

Noorderijk

Marc van Eijk

Hope this whitepaper gives you a good overview over the Windows Azure Pack and its components on TechNet

blogs.

Until next time have fun with Windows Azure Pack.

http://blogs.technet.com/b/privatecloud/archive/2013/12/11/sample-billing-adapter-code-for-windows-azure-pack.aspx



http://blogs.technet.com/Kandavel%20KR/ProfileUrlRedirect.ashx















http://social.technet.microsoft.com/wiki/contents/articles/20689.windows-azure-pack-wap-and-related-blogs-videos-and-technet-articles.aspx

http://social.technet.microsoft.com/wiki/contents/articles/20689.windows-azure-pack-wap-and-related-blogs-videos-and-technet-articles.aspx


http://social.technet.microsoft.com/wiki/

http://www.hyper-v.nu/archives/tag/windows-azure-pack/

http://www.hyper-v.nu/

http://www.hyper-v.nu/

http://www.hyper-v.nu/archives/category/hans/

http://www.hyper-v.nu/archives/category/hans/

http://www.hyper-v.nu/archives/author/pnoorderijk/

http://www.hyper-v.nu/archives/author/pnoorderijk/

http://www.hyper-v.nu/archives/author/marcve/

windows azure pack azure pack guide page 2 of 111 table of contents architecture ..... 6...

Documents