Installing and configuring System Center Service Provider Foundation

A couple of months ago I posted a blog about the Technical Preview of Windows Azure for Windows Server. My fellow blogger Hans Vredevoort (MVP Virtual Machine) and I discussed possible configuration scenarios. The Windows Azure for Windows Server development team also provided us with great help. There are a lot of products involved in the setup and this makes a simple walkthrough more difficult. With the experience taken from the Technical Preview and the official release I have created a walkthrough for the end to end solution.

Enabling the Cloud OS

Because there are so many moving parts I decided to split this walkthrough into the following blog items.

This blog is a complete walkthrough on installing and configuring the Service Provider Foundation.


The Service Provider Foundation enables service providers to offer Infrastructure as a Service (IaaS). The infrastructure of System Center VMM 2012 is exposed through the Service Provider Foundation as an extensible OData web service, that supports REST-based requests. The web service handles these requests through Windows PowerShell scripts. By using this industry standard Microsoft enables Service Provider to leverage their existing investments in custom management Portals.

The Service Provider Foundation is placed on top of a System Center VMM 2012 environment. This blog will not cover the installation and configuration of System Center 2012 VMM. I can advise a great book called Microsoft Private Cloud Computing written by Aidan Finn, Hans Vredevoort, Patrick Lownds and Damian Flynn that I use as a reference frequently.


The Service Provider Foundation uses SQL server for its database. Depending on the size of your environment you can either use the same SQL server as your System Center VMM 2012 SP1 environment or use a dedicated SQL server for the Service Provider Foundation. The database is supported on SQL Server 2008 R2 and SQL Server 2012.

Before we install the Service Provider Foundation some prerequisites must be installed.

These prerequisites can be categorized in the following parts.

  • Operating System
    • Windows Server 2012
    • PowerShell 3.0
  • System Center VMM SP1
    • System Center VMM SP1 console
  • Web Server IIS Server Role
    • IIS Management > Scripts and Tools
    • IIS Security > Basic Security
    • IIS Security > Windows Authentication
    • IIS Application Development > ASP.NET 4.5
  • Windows Features
    • .NET Framework 4.5 Features > WCF Services > HTTP Activation
    • Management OData IIS Extension
  • Downloads
    • WCF Data Services 5.0 for OData V3
    • ASP.NET MVC 4

When you have configured Windows Server 2012 with an IP address, applied Windows Updates and introduced the server as member to the same domain that your System Center VMM environment is running in, you are ready to install the prerequisites. The first requirement is the installation of the System Center VMM console. You can install the console from the System Center 2012 VMM SP1 installation media.

01 Install VMM console

Now you can install the required features and roles by opening Add Roles and Features in Server Manager. Select the Web Server IIS on the Server Role screen. Select .NET Framework 4.5 Features > WCF Services > HTTP Activation and Management OData IIS Extension. On the Web Server IIS role services screen add the role services IIS Management Scripts and Tools, IIS Security Basic Security, IIS Security Windows Authentication, IIS Application Development ASP.NET 4.5 to the default settings.

05 Installation Check Part2

You can also install these roles and features by running the following PowerShell command.

Install-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Request-Monitor, Web-Http-Tracing, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-Basic-Auth, Web-Windows-Auth, Web-App-Dev, Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Scripting-Tools, NET-Framework-45-ASPNET, NET-WCF-HTTP-Activation45, ManagementOdata, WAS, WAS-Process-Model, WAS-Config-APIs

PowerShell Install-WindowsFeature

Two requirements are not included in the Windows Server 2012 operating system. The installation of these requirements is straightforward.

The Service Provider Foundation install wizard will verify that all roles and features are installed correctly.

Required user accounts

We need to create a domain user account for the Service Provider Foundation application pools and three domain groups that will be used for the permissions on the individual virtual directories created by the installer.

In this example I have created a service account

  • domainSvc_Spf

And the following domain groups

  • domainSpf_Admins
  • domainSpf_Provider
  • domainSpf_VMM


The Service Provider Foundation provides an extensible OData web service. Communications to this web service can and should be encrypted by SSL. SSL requires certificates. The Service Provider Foundation allows for self-singed certificates (for testing purposes) and certificates issued by a standalone Certificate Authority, an enterprise Certificate Authority or a public Certificate Authority. The Service Provider Foundation requires a default web server certificate.

If Windows Azure for Windows Server is located in the same domain as the Service Provider Foundation you are not required to request a public certificate. If you want to enable connectivity to the Service Provider Foundation from System Center App Controller in untrusted domains a public certificate might become a better alternative.

In the following blogs I will describe connecting Windows Azure for Windows Server to the Service Provider Foundation and connecting System Center App Controller to the Service Provider Foundation. In these blogs we will have a closer look at the possible web server certificates and the corresponding pros and cons.

For the installation in this blog we will use a self-signed certificate. In the following blogs this certificate will be replaced.

Open IIS Manager, select the server in the left console and select Server Certificates in main menu.

Create SelfSigned Cert P1

When you open the Server Certificates feature the right menu allows for certificate creation.

Create SelfSigned Cert P2

Select Create Self-Signed Certificate and specify the common name. The common name must match the URL that is used when connecting to the Service Provider Foundation.

Create SelfSigned Cert P3

Please keep in mind that the self-signed certificate will not be trusted by another operating system that initiates a request to the web service. For testing purposes you can add the self-signed certificate to the trusted root certificate certificates in the computer store of the requesting operating system.


The Service Provider Foundation setup is added to the System Center Orchestrator SP1 media. The System Center Orchestrator 2012 SP1 installer also allows you to install the Service Provider Foundation.

02 Setup screen orchestrator

The installer will first verify that all prerequisites are met. If you have followed the steps described in this blog you will see all green checks here.

07 Prerequisites check

In the next step you need to specify the SQL Server where the Service Provider Foundation database is created. Please verify that the firewall of the SQL Server allows traffic on port 1433. The installer will verify connectivity before you can continue to the next step.

Select the certificate you created for the web service. In this example we select the self-signed certificate that we created earlier.

09 Certificate

In the following three screen the virtual directories, corresponding permissions and App Pool Identities are specified. Please note that these permissions and App Pool Identities are essential for a properly functioning environment when you connect different solutions to Service Provider Foundation. In these screen we will specify the domain service account and the domain groups we created earlier.

In the Configure the Admin Web Service specify the domainSpf_Admin group in the virtual directory permissions. Specify the domainSvc_Spf service account in the Application pool credentials.

10 AppPool Admin

In the Configure the Provider Web Service specify the domainSpf_Provider group in the virtual directory permissions. Specify the domainSvc_Spf service account in the Application pool credentials.

11 AppPool Provider

In the Configure the VMM Web Service specify the domainSpf_VMM group in the virtual directory permissions. Specify the domainSvc_Spf service account in the Application pool credentials.

12 AppPool VMM

Post installation

In the following blog I will explain how to setup Windows Azure for Windows Server. For correct functionality additional permissions must be configured for the service account (domainSvc_Spf).

The SPF service account that is configured as Application Pool Identity of the Service Provider Foundation virtual directories needs to be added as a member of the following local groups on the server where the Service Provider Foundation is installed.

  • SPF_Admin
  • SPF_Provider

15 Set permissions for Spf Service Account on SPF server

The SPF service account (domainSvc_Spf) also needs to be added to the administrator user role in the System Center VMM 2012 SP1 environment in the same domain. Open System Center VMM 2012 SP1, select settings in the left bottom menu and select user roles in the main window.

13 Set permissions for Spf Service Account in VMM P1

Open the Administrator User Role and add the service account (domainSvc_Spf).

14 Set permissions for Spf Service Account in VMM P2

The service account also needs permissions in SQL Server running the Service Provider Foundation database. Open the SQL Server Management Studio > Security and select the domain service account.

17 Set permissions for Spf Service Account in SQL

The service account will need the Sysadmin role in SQL Server. Open the properties of the service account (domainSvc_Spf), select the Server Roles tab and enable the sysadmin role.

18 Set permissions for Spf Service Account in SQL

Update Rollup 1 changes App Pool Identity

When you install System Center Orchestrator 2012 SP1 Update Rollup 1 on the Service Provider Foundation server the VMM App Pool Identity is changed from the domain service account (domainSvc_Spf) to Network Service.


You need to change the App Pool Identity back to the service account (domainSvc_Spf). You can find a complete walkthrough on this step in my previous blog System Center 2012 SP1 Update Rollup 1 breaks Service Provider Foundation connectivity in Windows Azure for Windows Server.

More information

Enabling Hosted IaaS Clouds for Service Providers Using Microsoft System Center 2012 SP1 with Windows Server 2012

Service Provider Foundation on TechNet

Cloud Resource Management with System Center 2012 Service Pack 1 (SP1) – Orchestrator and Service Provider Foundation


  1. March 19, 2013    

    Hello Marc,

    We have installed SPF on 2 environments following your tutorial but are unable to get it to work. We cannot find any usable logging on SPF. When we open the URL directly (https://servername:8090/SC2012/VMM/Microsoft.Management.OData.svc/?WSDL) and login we get ‘The server encountered an error processing the request. See server logs for more details.’. But as noted before we cannot find any logfiles or eventlog error so we don’t know where to search for the cause. Are you able to open this URL and view the service definition on your testenvironment?



  2. March 20, 2013    

    Hello Hans,

    We haven’t installed orchestrator, only SCOM and SCVMM. Also CU1 is not installed, it’s a fresh SP1 installation. Are you able to open de service definition URL on the test env?



    • March 24, 2013    

      Hi Frans,

      I checked the URL you specified and result looks as expected.
      Did you check that the correct user accounts are specified as Application Pool IDs?


  3. March 25, 2013    

    Sorry Marc,

    I seriously doubt this is a fault on our side. I have again installed the SPF framework on a pair of new servers and again the same error. I followed your instructions to the letter. I’m giving up for now on the SPF, i cannot imagine other users don’t have this problem. Until microsoft add proper errorhandling we cannot continue.



  4. March 26, 2013    

    An update on my side; i was able to get WCF tracing going and see the error is related to the powershell executionpolicy. Can you reply what the output of the following command is on your testenvironment?

    Get-ExecutionPolicy -List

    Thanks so far!

  5. March 26, 2013    

    Yes this was the problem; after removing the GPO policy which sets the MachinePolicy to Unrestricted the WCF service works!

    • March 27, 2013    

      Hi Frans,
      Good to hear you were able to resolve the issue.

  6. August 14, 2013    

    How to enable Connect Console in Tenant site to rdp vms?

  7. September 27, 2013    

    Hello ,
    please i need your help , i try to install SPF and in the prerequisites i need to have Powershell 3.0 , i have Windows server 2012 , and it’s don’t work when i try to install powershell 3.0 .

    thank you

    • October 5, 2013    

      Hi Tarik,
      Windows Server 2012 comes with PowerShell 3.0 preinstalled. There is no need to install in manually. If you just run the Install-WindowsFeature cmdlet as described in the blog, install the VMM Console and the two downloads (WCF Data Services 5.0 for OData V3 and ASP.NET MVC 4) you should be good to go.
      Regards, Marc

  8. November 29, 2013    

    Has the installation and configuration of WAP and SPF changed when using Windows Server 2012 R2 and System Center 2012 R2? I can get the SPF installed, but when I try to register SPF with VMM I get a “The Service URL or credentials are not valid” error. I am following the TechNet documentation quite carefully, so I’m wondering if the documentation may perhaps be out of date when using the latest versions of the products?

    • November 29, 2013    

      Hi Andre,

      The installation and configuration for SPF is the same in SP1 and R2 (with the exception of an additional virtual directory in the wizard). If you use the steps described in this blog to prepare SPF and the steps in the following blog from this series to create the local service account you should be able to register SPF in Azure Pack.

      Hope this helps.

  9. January 9, 2014    

    I have the problem with registering SPF since two days ago. Joining domain is necessary or is it possible to run in local mode?
    Maybe, do you have a working image or virtual machine for your implemented tutorial?

    • January 10, 2014    

      Hi Mogi, the SPF must be member of the same domain as your VMM environment.
      Does this answer your question?

  10. January 29, 2014    

    Hello Marc,
    I find the document about “New server and stamp capabilities”( It seems SPF R2 not only support VMM. Do you know where can find the API for DPM or OM? Thank you.

  11. Ravi Ravi
    February 28, 2014    

    Hi, i followed all the step and WIndows Azure is running. Only issue i have that i can assign templates to a plan. When i login as a user which has a subscription to the plan i create a vm but templates is still None. I reinstalled everything but still no success. I do can add VM Networks, that is successfull. Please your advice.

  12. Fatiha Fatiha
    April 17, 2014    

    Hello Marc;
    I try to create a stamp using C# program that interact with SPF, but i have this following exception error:
    Une exception non gérée du type ‘System.Data.Services.Client.DataServiceRequestException’ s’est produite dans Microsoft.Data.Services.Client.dll

    Informations supplémentaires : Une erreur s’est produite lors du traitement de cette requête.

    this my program:
    SpfADMIN.Admin adminService = new SpfADMIN.Admin(new System.Uri(@””));
    adminService.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials;

    SpfADMIN.Stamp stamp = new SpfADMIN.Stamp();
    stamp.Name = “New stamp”;


  13. John John
    May 8, 2014    

    Is there a updated version of all these guides for SC 2012 R2? I know you mentioned that this guide is practicly the same, but for the rest of the guides, do they all play well for R2 or is there a diff blog for one that is practical only for R2?

1 Trackback

  1. Installing and configuring Service Management Portal and API – Part 1 on February 12, 2013 at 13:33
  2. Installing and configuring Service Management Portal and API – Part 2 on March 24, 2013 at 22:59
  3. Installing and configuring Service Management Portal and API – Part 3 on March 27, 2013 at 23:21
  4. Privat Azure? | on April 16, 2013 at 22:27
  5. System Center 2012 SP1 Service Provider Foundation High Availability on June 7, 2013 at 11:53
  6. Connecting System Center 2012 SP1 App Controller to System Center 2012 SP1 Service Provider Foundation – 2 Scenarios on June 8, 2013 at 23:31
  7. System Center 2012 SP1 Service Provider Foundation High Availability | Marc van Eijk on June 8, 2013 at 23:42
  8. Windows Azure Services for Windows Server, SPF and SCVMM – Managing Tenants across these components (Part 1) | on June 11, 2013 at 22:07
  9. Simple and secure by Design but Business compliant [Benoît SAUTIERE / MVP] on September 21, 2014 at 17:32

Leave a Reply

Your email address will not be published. Required fields are marked *

Our Sponsors

Powered by