Posts by Marc van Eijk

Windows Azure Pack Tenant Public API new cmdlets

Two months ago I published a blog on the Windows Azure Pack Tenant Public API. This API allows you to interact with your cloud services using PowerShell over the internet and certificate authentication. The Microsoft Azure PowerShell module provided cmdlets for Windows Azure Pack as well. As you might remember from that blog was the lack of VM Role cmdlets. There was a workaround that worked but was somewhat complex to configure and maintain.

A new version of the Microsoft Azure PowerShell module has been released. This new version also contains various new cmdlets  for Windows Azure Pack.

  • New-WAPackCloudService
  • Get-WAPackCloudService
  • Remove-WAPackCloudService
  • New-WAPackVMRole
  • Get-WAPackVMRole
  • Set-WAPackVMRole
  • Remove-WAPackVMRole
  • New-WAPackVNet
  • Remove-WAPackVNet
  • New-WAPackVMSubnet
  • Get-WAPackVMSubnet
  • Remove-WAPackVMSubnet
  • New-WAPackStaticIPAddressPool
  • Get-WAPackStaticIPAddressPool
  • Remove-WAPackStaticIPAddressPool
  • Get-WAPackLogicalNetwork

As you can see it also contains new cmdlets for interacting with cloud services and the VM Role.

You can download Microsoft Azure PowerShell module 0.8.6 through the Web Platform Installer with this link.

The VM Role is a custom configuration that can consist of many required and optional fields. As with the GUI wizard some values must be provided for the PowerShell cmdlet. Creating a new VM Role with the New-WAPackVMRole cmdlet requires some input.


If we take a look at the ResourceDefinition of an existing VM Role there is still some configuration requirement, but it is a huge improvement compared the previous procedure.


Windows Azure Pack configuration with a named instance and a non-default SQL port

Installing Windows Azure Pack in a lab environment is relatively easy. You control all the environment variables. Changes to operating systems, required permissions or other settings are within your own hands.

How different is this when you implement Windows Azure Pack in a Service Provider or Enterprise Organization environment. All kind of security requirements are in place. Each change in the environment is preceded by a request for change procedure. Planning, prerequisites and design documents are essential from the start of the project. If you have not invested in these upfront you will find yourself confronted with a new change each time that, in its turn, results in another RFC with accompanying handling time. Within a couple of days your teeth marks will be visible in the steering wheel of your car.

(Previously) a prerequisite for Windows Azure Pack:

  • Windows Azure Pack requires a SQL server running in mixed authentication mode and the SQL instance must be running on the default SQL port 1433

But the security policy at the Enterprise Organization or Service Provider dictates:

  • The SQL Server must be in Windows Authenticated mode only using a named instance and non-default SQL port

Most deployments start with an installation in a development environment that reflect the production environment. In the development environment the SQL configuration that is required for Windows Azure Pack is tolerated but flagged. Once we move to production the RFC can possibly block the implementation.

I contacted the folks from the Windows Azure Pack program group a couple of months ago. They provided the means to configure Windows Azure Pack with a named instance and against a non-default SQL port. It was OK to use this configuration for the development environments, but they needed some additional testing to validate that this configuration would not break in hotfix or upgrade scenarios.

Named instance and non-default SQL port

It is now supported to configure Windows Azure Pack with a named instance and a non-default SQL port. Configure the database connection in the configuration wizard with the following format.

<SQL Server>\<Instance>,<Port number>

In this example


Custom SQL port

SQL Authentication

Windows Azure Pack does still require a SQL Server in mixed authenticated mode. During the installation SQL accounts are created that are used in the encrypted part of the web.config file of each Windows Azure Pack website. But if this SQL authentication discussion comes up in a project consider this:

A long time ago, Microsoft recommended “When possible, use Windows Authentication” for SQL databases. That recommendation was not based on security issues with SQL authentication. It was a best practice for applications which would work better with pass through user authentication rather than using a service principle. That statement was interpreted by most organizations with “you should never use SQL authentication”.

Is that statement (still) true or is SQL authentication a secure choice?

The best example of using SQL authentication for databases is Microsoft itself. Microsoft Azure SQL Database (database-as-a-service) supports only SQL Server Authentication. Windows Authentication (integrated security) is not supported.

If Microsoft wasn’t comfortable using SQL authentication, they wouldn’t run a few hundred thousand SQL servers. That are on the internet!!

Image taken from the new Microsoft Azure Portal that is in preview.

Azure SQL

More Information

Windows Azure Pack, SQL Always On, Listener and Port story

Microsoft SQL Server versions supported in a Windows Azure Pack deployment

Windows Azure Pack: Infrastructure as a Service Jump Start

Date: July 16 & 17, 2014
Time: 9am–1pm PDT
CTA(s): Registration page:

Alternative link:

IT Pros, you know that enterprises desire the flexibility and affordability of the cloud, and service providers want the ability to support more enterprise customers. Join us for an exploration of Windows Azure Pack’s (WAP’s) infrastructure services (IaaS), which bring Microsoft Azure technologies to your data center (on your hardware) and build on the power of Windows Server and System Center to deliver an enterprise-class, cost-effective solution for self-service, multitenant cloud infrastructure and application services.


Join Microsoft’s leading experts as they focus on the infrastructure services from WAP, including self-service and automation of virtual machine roles, virtual networking, clouds, plans, and more. See helpful demos, and hear examples that will help speed up your journey to the cloud. Bring your questions for the live Q&A!

Course Outline
Day 1

  • Introduction to the Windows Azure Pack
  • Install and Configure WAP
  • Integrate the Fabric
  • Deliver Self-Service

Day 2

  • Automate Services
  • Extend Services with Third Parties
  • Create Tenant Experiences

Metadescription: Free online course for IT Pros: Windows Azure Pack IaaS, including VM roles. Build and manage modern apps, unlock insights

Keywords: Windows Azure Pack, Microsoft Azure, Windows Server, System Center, SQL Server


Andrew Zeller | Microsoft Senior Technical Program Manager

Andrew Zeller is a Technical Program Manager at Microsoft, focusing on service delivery and automation with Windows Server, System Center, and the Windows Azure Pack.

Symon Perriman | Microsoft Senior Technical Evangelist |@SymonPerriman

​As Microsoft Senior Technical Evangelist and worldwide technical lead covering virtualization (Hyper-V), infrastructure (Windows Server), management (System Center), and cloud (Microsoft Azure), Symon Perriman is an internationally recognized industry expert, author, keynote presenter, executive briefing specialist, and technology personality. He started in the technology industry in 2002 and has been at Microsoft for seven years, working with multiple teams, including engineering, evangelism, and technical marketing. Symon holds several patents and more than two dozen industry certifications, including Microsoft Certified Trainer (MCT), MCSE Private Cloud, and VMware Certified Professional (VCP). In 2013, he co-authored Introduction to System Center 2012 R2 for IT Professionals (Microsoft Press) and he has contributed to five other technical books. Symon co-hosts the weekly Edge Show for IT Professionals, and his technologies have been featured in PC Magazine, Reuters News, and The Wall Street Journal. He graduated from Duke University with degrees in Computer Science, Economics, and Film & Digital Studies, and he also serves as the technical lead for several startups and entertainment production companies.

Register today!

You can help shape the future of Windows Azure Pack

Windows Azure Pack delivers Microsoft Azure technologies for you to run inside your datacenter. It offers rich, self-service, multi-tenant services and experiences that are consistent with Microsoft’s public cloud offering.

You can help shape the future of Windows Azure Pack. The Windows Azure Pack team has created a user voice site where you can post feature suggestions and vote on the suggestions of others.

You can find the Azure Pack user voice site here

01 General

Sign in to track your submitted ideas and comments.

When you would like to submit a new suggestion, type in one or more relevant keyword. This will automatically filter the already submitted items. If somebody else already submitted the same suggestion, it allows you to vote on that suggestion. As a signed in user you will have a total of 10 votes. With these votes you can submit new suggestions or vote on existing ones.

Vote for existing suggestions

When you vote for existing items, you can choose to give 1, 2, or 3 votes for more weight. You are able to change your assigned votes afterwards. When suggestions are closed, the votes you assigned to that suggestion are available again.

02 Vote for exisiting idea

Submit a new suggestion

To submit a new suggestion, provide the title for the suggestion and optionally enter a description and category. Select to attach a file if that helps to explain the suggestion and choose how many votes you would like to put on this suggestion.

03 Post new idea

Help shape Windows Azure Pack with the user voice site

Windows Azure Pack Tenant Public API

Microsoft Azure and Windows Azure Pack are like two circles. These circles are moving towards each other and are already overlapping on certain parts. The CloudOS vision is those two circles completely merged into one.


So, when you work with Windows Azure Pack it is very interesting to keep an eye on Microsoft Azure, the public cloud solution from Microsoft. This gives a good idea of the features that are coming to Windows Azure Pack, but also gives more insight in the features that are already available in Windows Azure Pack today. In this blog we will cover a feature that is not very well known but can be very useful. The Windows Azure Pack Tenant Public API.

Most Windows Azure Pack deployments we see in production are in one way or another related to IaaS. Windows Azure Pack provides a powerful web portal that enables tenants to interact with their IaaS services. They can create, edit and delete Virtual Machines and Virtual Networks with just a few clicks.

The tenant portal experience is awesome, but there are scenarios where other methods are required. Take for example regression testing. A tenant want to schedule a deployment for a set of virtual machines with applications. When the virtual machines are deployed, an automated procedure runs tests against the applications, which logs the performed steps to a location for evaluation. After the tests are completed the virtual machines are decommissioned again. The regression tests are scheduled by the tenants and they make changes to the tests frequently.

The first thing that comes to mind with this example is a combination of the VM Role and Service Management Automation. The VM Role allows you to deploy a virtual machine with an application. Service Management Automation enables scheduling of PowerShell workflows that can deploy the VM Roles for the tenant and run the regression tests as well.

Unfortunately in this release of Windows Azure Pack you need access to the Windows Azure Pack Admin Site to edit or schedule an SMA runbook. This requires Admin interaction for each change in the runbook or each change in the schedule, which is not an option.

Microsoft Azure provides a powerful scripting environment with Azure PowerShell. It allows tenants to interact with the services in their Microsoft Azure subscription with PowerShell cmdlets. These cmdlets can be run from a remote client. The client authenticates to the services in the subscription by using certificates. As you expect from Microsoft Azure it works after some easy steps to get the certificates configured correctly.


If you have a closer look at the cmdlets within the Azure PowerShell module you will notice that there are also cmdlets that contain WAPack in their name. This looks promising. READ MORE »

Windows Azure Pack High Availability – Lessons Learned

Exactly one year ago I published a blog on configuring high availability for Windows Azure Services for Windows Server. A lot has happened since then. Windows Azure Pack was released shortly after that and we did numerous implementations of Windows Azure Pack for Service Providers and Enterprise Organizations. And boy, did we learn… I promised back then that if any changes to the procedure were required I’d update that blog. I decided to create a new blog altogether since there is a lot to discuss.

Windows Azure Pack is an application that consists of a web tier and a database tier. The web tier can be installed in a distributed configuration and allows for high availability through the use of load balancing. The database tier leverages clustering for high availability (with SQL AlwaysOn or SQL WFC). This has not changed compared to Windows Azure Services for Windows Server.

Authentication in Windows Azure Pack was subject to some serious changes. A lot has been blogged on updating the URLs for four Windows Azure Pack components:

  • Tenant Site
  • Tenant Authentication Site
  • Admin Site
  • Admin Authentication Site

Besides changes to the IIS configuration for these sites, they also have references in the database that need to be updated. We found out that there are more Windows Azure Pack components that need to be updated for high availability. If you only update these four components and you shut down the first configured admin server in the environment your services are still unavailable, despite the load balancing of these four components.

This blog is a guide for configuring load balancing and high availability for Windows Azure Pack. It will describe the steps to configure Windows Azure Pack after a default installation. It also describes the step to take on the data tier configured with SQL AlwaysOn after a default installation. If you need guidance to setup a SQL AlwaysOn Cluster you can use this blog.

1. Design

In this presentation at TechEd I described a distributed configuration scenario for Windows Azure Pack. In this design the Tenant roles and the Admin roles were divided.

WAP Design

The following components where installed on the roles.

The Tenant Roles

  • Tenant Site
  • Tenant Authentication Site
  • Tenant Public API

The Admin Role

  • Admin Site
  • Admin Authentication Site
  • Admin API
  • Tenant API
  • PowerShell API
  • Best Practice Analyzer

Although I will describes the steps to configure the Tenant Authentication Site and the Admin Authentication Site, please consider to drop the two authentication sites for production environments and use ADFS instead. The configuration steps in for ADFS are similar, so you can use the scripts from this blog for both scenarios.

2. High Availability

Windows Azure Pack stores its information in SQL databases, which can be made high available with clustering.  Load balancers can be used to enable load balancing and high availability for the web server tier.

After the initial configuration the following steps must be performed to prepare Windows Azure Pack for load balancing.

  1. Create DNS records
  2. Import trusted web server certificate
  3. Change the virtual directory bindings
  4. Define variables for PowerShell scripts
  5. Update the database with the new endpoints
  6. Update the federation endpoints for the authentication sites
  7. Update the resource provider endpoints
  8. Optional- Configure a webpage for the load balancer validation process


Windows Azure Pack – You must first register Service Management Automation on Resource Provider VM Clouds

During a recent Windows Azure Pack deployment at a customer site I encountered an issue with the registration of Service Management Automation. I have done the installation and configuration numerous times without issues before. I performed the same steps at this site and the registration of SMA completed successfully. But when I wanted to link a runbook to an action in the VM Clouds resource provider I was treated with the following surprise. As you can see in the screenshot, the resource provider Automation shows the 27 sample runbooks.

You must first register SMA

We seen some other interesting issues in this environment so I tied this inconsistency to the same list.

My fellow MVP Kristian Nese recently published a blogpost explaining how to re-register SPF in Windows Azure Pack. You can actually use the same cmdlets to unregister SMA (or other resource providers) as well. I unregistered the SMA endpoint on the Windows Azure Pack server with the following cmdlets.

$Credential = Get-Credential

$Token = Get-MgmtSvcToken -Type Windows –AuthenticationSite https://yourauthenticationsite:30072 -ClientRealm http://azureservices/AdminSite -User $Credential -DisableCertificateValidation

Get-MgmtSvcResourceProvider -AdminUri “https://localhost:30004″ -Token $Token -DisableCertificateValidation -name “Automation”

Remove-MgmtSvcResourceProvider -AdminUri “https://localhost:30004″ -Token $Token -DisableCertificateValidation -Name “Automation” -InstanceId “the instance ID you got from Get-MgmtSvcResourceProvider

When you verify the registration status in the admin portal after running the cmdlets you should be able to perform the registration again. I successfully registered the SMA endpoint again in the admin portal.

Register SMA

But the Automation tab in the VM Clouds presented the same surprise again. After poking around with some get- cmdlets and verifying it against a working environment I found a solution. The Service Provider Foundation database is unaware of the Service Management Endpoint. I’m still looking at the root cause, but you can use the some cmdlets on the SPF server to update the SPF database with the endpoint information.

If you encounter the issue described in this blog, make sure you have the SMA endpoint registered in Windows Azure Pack and run the following cmdlets on the SPF server.

import-module spfadmin

Get-SCSpfStamp | fl

$stamp = get-SCSpfStamp –name “Name of the Stamp you got from the Get-SCSpfStamp

New-SCSpfServer –name “IaasAutomation” –ServerType None –Stamps $stamp

$Server = Get-SCSpfServer –name “IaasAutomation”

New-SCSpfSetting –Name EndpointURL –SettingType EndpointconnectionString –Value “https://YourSmaEndpoint:9090/” –Server $Server

After a refresh the admin portal should now reflect the changes we made.

After SPF cmdlets

Yesterday I got a call from Darryl van der Peijl who was deploying a new lab environment and he encountered the exact same issue.If you also see this issue please add a comment to this blog or ping me on twitter @_marcvaneijk

Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication – Part 3

In the previous part of this blog series Windows Azure Pack was configured to use ADFS for authentication for the Tenant Site and the Admin Site. We have done numerous implementations of Windows Azure Pack where ADFS was part of the design. In the first production deployments we struggled with setting the correct claim values for Co-Admins on subscriptions and admin access for the Admin Site based on groups, like the issue described at the and of the previous part of this blog series. Since then we have learned (or at least we tried) and there are a couple of ways that you can use to gain some insight into the actual issued claims by ADFS. Now please understand me correctly, there will probably be more ways to do the same. I just collected the procedures that we stumbled upon during the troubleshooting moments. We have used the following functionalities to look at issued claims.

  • ADFS Auditing
  • Get-AdfsToken
  • WIF SDK Claim App

There are probably more or better ways to look at the claims issued by ADFS. If you know any, please don’t hesitate to add them to the comments at the end of this blog post.

ADFS Auditing

Active Directory Federation Service provides a built in functionality to log success and failure audits in the event log of the ADFS server. The success audits contain the actual claims provided by ADFS. Besides enabling this functionality in ADFS, auditing rights must also be enabled for the ADFS service account on the server running ADFS.

The first step is to enable auditing rights for the ADFS service account on the server running ADFS. You can configure this with a local policy or a group policy. Open the local or domain policy that will apply to your ADFS server and browse to the Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment entry.

01 GPO

Open the Generate security audits setting and add the domain service account used in the ADFS configuration wizard in part one of this blog series (domain\SVC_ADFS). Update the policy settings on the ADFS server by running the following command

gpupdate /force

Enable auditing on the ADFS server by running the following command

auditpol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable

Open the ADFS management console. Right-click the root of the entries and select Edit Federation Service Properties.

02 Federation Service

Select the events tab and enable the Success audits checkmark.


Windows Azure Pack – VM Role custom Virtual Machine sizes

In Windows Azure Pack you can deploy standalone virtual machines, which are directly mapped to VM Templates in Virtual Machine Manager. The VM Templates are limited to deploy an Operating System, without applications. The VM Template allows you to configure the number of CPUs and the amount of Memory assigned to it. Since the standalone Virtual Machine in Windows Azure Pack is a direct mapping to the VM Template in Virtual Machine Manager, a virtual machine that is deployed by a tenant will be configured according to the size you specified in the VM template. If you would like to give a tenant the possibility to change the number of CPUs and amount of Memory assigned to virtual machine you can define hardware profiles in Virtual Machine Manager and add them to the plan that the tenant has a subscription on.

00 Standalone Virtual Machine

Virtual Machine Manager also provides Service Templates. Service Templates use VM Templates as building blocks and add a lot of functionality on top of them. Scale-up, Scale-out, application integration, relation to deployed instances and versioning, just to name a few.

With the release of Windows Azure Pack a new feature called the VM Role was introduced. The VM Role is a Windows Azure Pack gallery item, that uses the service template engine in Virtual Machine Manager. It allows you to deploy a virtual machine with automated application installation. Most of the functionality that you might be familiar with from Service Templates are also present in the VM Role. For a good comparison have a look at this blog.

The VM Role exists of two parts.  The Resource Definition is imported in to Windows Azure Pack and contains the fields to build up the deployment wizard and map to the Resource Extension. The Resource Extension is imported in to Virtual Machine Manager and contains the application logic. Virtual Machine Manager does not provide a Graphical User Interface for The Resource Extension. You can create new or edit existing Resource Definition and Resource Extension files with the VM Role Authoring Tool.

When you deploy your first VM Role, you will notice that the available sizes for the virtual machine are populated automatically.


The predefined list contains the following sizes.

Name Description CpuCount MemoryInMB
ExtraSmall Extra Small Size VM 1 768
Small Small Size VM 1 1792
Medium Medium Size VM 2 3584
Large Large Size VM 4 7168
ExtraLarge Extra Large Size VM 8 14336
A6 A6 Size VM 4 28672
A7 A7 Size VM 8 57344

The VM Role is also present in Windows Azure. If you have deployed a virtual machine in Windows Azure before you will immediately recognize these sizes. To minimize the differences for moving the VM Roles between Windows Azure Pack and Windows Azure, it makes sense to match the VM sizes between the two environments. But what if you have a company policy that dictated other VM sizes or you are Service Provider and would like to provide your own VM sizes. The VM Authoring Tool also has a JSON tab to show the actual code.


Windows Azure Pack with ADFS and Windows Azure Multi-Factor Authentication – Part 2

In the previous part of this blog series we installed Windows Azure Pack and Active Directory Federation Services. In this blog we will configure the WAP Admin Portal and the WAP Tenant Portal to use ADFS for authentication. The configuration steps for both sites are very similar with some exceptions. The following steps will be performed.

  • Change the WAP site bindings in IIS
  • Update the WAP database with the new IIS bindings
  • Configure the WAP database to use ADFS
  • Create a relying party in ADFS
  • Create claim rules in ADFS
  • Enable JWT for relying party in ADFS

After completing these steps, every user that successfully authenticates to ADFS can access the WAP tenant site. To prevent a random user from accessing the WAP admin site, an additional step must be performed to enable access for admins.

  • Configure authenticated users for the admin site

Windows Azure Pack accepts User Principal Name (UPN) claims and Group claims. A tenant requires a UPN claim to logon to Windows Azure Pack. When a tenant subscribes to a plan the UPN is made owner of the subscription. A UPN is required as owner for a subscription. The Group claim is optional and can be used to specify Co-Admins for an existing subscription. A common design is to designate an owner of the subscription that is responsible (for example a department head) and add a group claim as co-admins for the subscription (for example a group containing all the departments users). A couple of tests with group claims pointed out that Domain Local Groups will not work (even if you manage to pass them as claims with some custom claim rules) and that Windows Azure Pack will not accept a space in the Group when configuring Co-Admins for a subscription.

01 CoAdmins req

Two components of ADFS are important in relation to Windows Azure Pack. The Claims Provider and the Relying Party. A Claims Provider authenticates a user, create the claims for that user and configures the claims into security tokens that the relying party uses to make authorization decisions. A Relying Party consumes claims in a particular transaction. Claims that originate from a claims provider can be presented and consumed by the relying party. A default installation of ADFS configures a Claims Provider trust to Active Directory. This default Claims Provider trust has a predefined set of Claims, which contains the UPN claim, but does not contain the Group claim.

It is possible to add additional claims at the Claims Provider level or at the Relying party level. If you add additional claims at the Claims Provider level, these claims are available to all relying parties and can also be used for authorization and transformation in a relying party configuration. If you add additional claims at the Relying Party level, these claims will only be available to that particular Relying Party.


Our Sponsors

Powered by