A couple of months ago I posted a blog about the Technical Preview of Windows Azure for Windows Server. My fellow blogger Hans Vredevoort (MVP Virtual Machine) and I discussed possible configuration scenarios. The Windows Azure for Windows Server development team also provided us with great help. There are a lot of products involved in the setup and this makes a simple walkthrough more difficult. With the experience taken from the Technical Preview and the official release I have created a walkthrough for the end to end solution.
Because there are so many moving parts I decided to split this walkthrough into the following blog items.
- Installing and configuring System Center Service Provider Foundation
- Installing and configuring Windows Azure for Windows Server – Part 1
- Installing and configuring Windows Azure for Windows Server – Part 2
- Installing and configuring Windows Azure for Windows Server – Part 3
- Installing and connecting System Center 2012 SP1 App Controller to System Center 2012 SP1 Service Provider Foundation – 2 Scenarios
This blog is a complete walkthrough on installing and configuring the Service Provider Foundation.
The Service Provider Foundation enables service providers to offer Infrastructure as a Service (IaaS). The infrastructure of System Center VMM 2012 is exposed through the Service Provider Foundation as an extensible OData web service, that supports REST-based requests. The web service handles these requests through Windows PowerShell scripts. By using this industry standard Microsoft enables Service Provider to leverage their existing investments in custom management Portals.
The Service Provider Foundation is placed on top of a System Center VMM 2012 environment. This blog will not cover the installation and configuration of System Center 2012 VMM. I can advise a great book called Microsoft Private Cloud Computing written by Aidan Finn, Hans Vredevoort, Patrick Lownds and Damian Flynn that I use as a reference frequently.
The Service Provider Foundation uses SQL server for its database. Depending on the size of your environment you can either use the same SQL server as your System Center VMM 2012 SP1 environment or use a dedicated SQL server for the Service Provider Foundation. The database is supported on SQL Server 2008 R2 and SQL Server 2012.
Before we install the Service Provider Foundation some prerequisites must be installed.
These prerequisites can be categorized in the following parts.
- Operating System
- Windows Server 2012
- PowerShell 3.0
- System Center VMM SP1
- System Center VMM SP1 console
- Web Server IIS Server Role
- IIS Management > Scripts and Tools
- IIS Security > Basic Security
- IIS Security > Windows Authentication
- IIS Application Development > ASP.NET 4.5
- Windows Features
- .NET Framework 4.5 Features > WCF Services > HTTP Activation
- Management OData IIS Extension
- WCF Data Services 5.0 for OData V3
- ASP.NET MVC 4
When you have configured Windows Server 2012 with an IP address, applied Windows Updates and introduced the server as member to the same domain that your System Center VMM environment is running in, you are ready to install the prerequisites. The first requirement is the installation of the System Center VMM console. You can install the console from the System Center 2012 VMM SP1 installation media.
Now you can install the required features and roles by opening Add Roles and Features in Server Manager. Select the Web Server IIS on the Server Role screen. Select .NET Framework 4.5 Features > WCF Services > HTTP Activation and Management OData IIS Extension. On the Web Server IIS role services screen add the role services IIS Management Scripts and Tools, IIS Security Basic Security, IIS Security Windows Authentication, IIS Application Development ASP.NET 4.5 to the default settings.
You can also install these roles and features by running the following PowerShell command.
Install-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Request-Monitor, Web-Http-Tracing, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-Basic-Auth, Web-Windows-Auth, Web-App-Dev, Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Scripting-Tools, NET-Framework-45-ASPNET, NET-WCF-HTTP-Activation45, ManagementOdata, WAS, WAS-Process-Model, WAS-Config-APIs
Two requirements are not included in the Windows Server 2012 operating system. The installation of these requirements is straightforward.
The Service Provider Foundation install wizard will verify that all roles and features are installed correctly.
Required user accounts
We need to create a domain user account for the Service Provider Foundation application pools and three domain groups that will be used for the permissions on the individual virtual directories created by the installer.
In this example I have created a service account
And the following domain groups
The Service Provider Foundation provides an extensible OData web service. Communications to this web service can and should be encrypted by SSL. SSL requires certificates. The Service Provider Foundation allows for self-singed certificates (for testing purposes) and certificates issued by a standalone Certificate Authority, an enterprise Certificate Authority or a public Certificate Authority. The Service Provider Foundation requires a default web server certificate.
If Windows Azure for Windows Server is located in the same domain as the Service Provider Foundation you are not required to request a public certificate. If you want to enable connectivity to the Service Provider Foundation from System Center App Controller in untrusted domains a public certificate might become a better alternative.
In the following blogs I will describe connecting Windows Azure for Windows Server to the Service Provider Foundation and connecting System Center App Controller to the Service Provider Foundation. In these blogs we will have a closer look at the possible web server certificates and the corresponding pros and cons.
For the installation in this blog we will use a self-signed certificate. In the following blogs this certificate will be replaced.
Open IIS Manager, select the server in the left console and select Server Certificates in main menu.
When you open the Server Certificates feature the right menu allows for certificate creation.
Select Create Self-Signed Certificate and specify the common name. The common name must match the URL that is used when connecting to the Service Provider Foundation.
Please keep in mind that the self-signed certificate will not be trusted by another operating system that initiates a request to the web service. For testing purposes you can add the self-signed certificate to the trusted root certificate certificates in the computer store of the requesting operating system.
The Service Provider Foundation setup is added to the System Center Orchestrator SP1 media. The System Center Orchestrator 2012 SP1 installer also allows you to install the Service Provider Foundation.
The installer will first verify that all prerequisites are met. If you have followed the steps described in this blog you will see all green checks here.
In the next step you need to specify the SQL Server where the Service Provider Foundation database is created. Please verify that the firewall of the SQL Server allows traffic on port 1433. The installer will verify connectivity before you can continue to the next step.
Select the certificate you created for the web service. In this example we select the self-signed certificate that we created earlier.
In the following three screen the virtual directories, corresponding permissions and App Pool Identities are specified. Please note that these permissions and App Pool Identities are essential for a properly functioning environment when you connect different solutions to Service Provider Foundation. In these screen we will specify the domain service account and the domain groups we created earlier.
In the Configure the Admin Web Service specify the domainSpf_Admin group in the virtual directory permissions. Specify the domainSvc_Spf service account in the Application pool credentials.
In the Configure the Provider Web Service specify the domainSpf_Provider group in the virtual directory permissions. Specify the domainSvc_Spf service account in the Application pool credentials.
In the Configure the VMM Web Service specify the domainSpf_VMM group in the virtual directory permissions. Specify the domainSvc_Spf service account in the Application pool credentials.
In the following blog I will explain how to setup Windows Azure for Windows Server. For correct functionality additional permissions must be configured for the service account (domainSvc_Spf).
The SPF service account that is configured as Application Pool Identity of the Service Provider Foundation virtual directories needs to be added as a member of the following local groups on the server where the Service Provider Foundation is installed.
The SPF service account (domainSvc_Spf) also needs to be added to the administrator user role in the System Center VMM 2012 SP1 environment in the same domain. Open System Center VMM 2012 SP1, select settings in the left bottom menu and select user roles in the main window.
Open the Administrator User Role and add the service account (domainSvc_Spf).
The service account also needs permissions in SQL Server running the Service Provider Foundation database. Open the SQL Server Management Studio > Security and select the domain service account.
The service account will need the Sysadmin role in SQL Server. Open the properties of the service account (domainSvc_Spf), select the Server Roles tab and enable the sysadmin role.
Update Rollup 1 changes App Pool Identity
When you install System Center Orchestrator 2012 SP1 Update Rollup 1 on the Service Provider Foundation server the VMM App Pool Identity is changed from the domain service account (domainSvc_Spf) to Network Service.
You need to change the App Pool Identity back to the service account (domainSvc_Spf). You can find a complete walkthrough on this step in my previous blog System Center 2012 SP1 Update Rollup 1 breaks Service Provider Foundation connectivity in Windows Azure for Windows Server.