Windows Azure Pack changing the default URLs

With the General Availability of Windows Azure Pack more organizations are interested in or are already implementing the complete CloudOS. Compared to the previous release Microsoft has put more effort in documentation for the product. After you have implementing your first lab environment (and you should, before trying anything like this in production) you will see that the default URLs for accessing the Admin Site is configured on port 30091 and the Tenant Site is configured on port 30081. In the previous release of Windows Azure Pack (named Windows Azure Services for Windows Server) you could just change the port to 443 in IIS, assign a public certificate to the website and you were done.

In Windows Azure Pack Microsoft introduced the possibility to use Active Directory Federations Services (ADFS) for authentication. This functionality enables a single sign on experience for end users. ADFS (besides many other features) makes Windows Azure Pack also interesting for enterprise organizations wanting to provide “Service Provider like” offerings to their internal customers.

The integration of ADFS required some changes to the validation procedure within Windows Azure Pack. Even without configuring ADFS the Admin Site and the Tenant Site now have their own dedicated authentication sites. In this blog I’ll describe the required steps to change the default URLs (name and port number) to public URLs.

Installer

Update : It is possible to configure all sites listening on port 443 by using Server Name Indication. Flemming Riis has published a post on his blog that describes how to configure this.

Before we start it is good to understand that it is not possible to have multiple sites on a single server listening on the same default SSL port 443. I have even tried to add additional IP addresses to the same server NIC and bind each Website to a different IP Address (all on port 443). This will work within the same subnet, but will not function when accessing through NAT externally. For this configuration we are looking at four websites.

  • Admin Site
  • Admin Authentication Site
  • Tenant Site
  • Tenant Authentication Site

If you want to access these sites externally over a default SSL connection on port 443 you would need a virtual machine for each website (four in total) and four public IP addresses. For a production environment you would not provide external access to the Admin Site. The Admin Site and the Admin Authentication Site can be installed on a single machine. The Tenant Site and the Tenant Authentication site are probably going to be accessed from the internet. You can use a wildcard certificate provided by a public Certificate Authority for all websites. For this blog I will reference three virtual machines.

  • wap01 (Admin Site & Admin Authentication Site)
  • wap02 (Tenant Site)
  • wap03 (Tenant Authentication Site)

In a more robust production environment you would double these servers and make their services high available with a Load Balancer (NLB or Hardware Load Balancer). I have verified that these configuration steps are the same for a scale out scenario using Load Balancing.

The Admin Site

In a default configuration the Admin Site is configured on port 30091 and the Admin Authentication Site is configured on port 30072. Accessing the the admin site through a browser can be divided in to the following seven steps.

Admin Default

  1. You enter the NetBIOS name of the server with the port configured in IIS for the Admin Site
  2. Windows Azure Pack gets the Admin Site Fully Qualified Domain Name (FQDN) and port number from the database and notifies the browser
  3. The browser is redirected to the FQDN and port number of the Admin Site configured in the Windows Azure Pack database
  4. The Admin Site detects you do not have the correct token to validate and notifies the browser with the FQDN and port number of the Admin Authentication Site configured in the database
  5. The browser is redirected to the FQDN and port number configured for the Admin Authentication Site in the Windows Azure Pack database
  6. After validation a token is provided and the Admin Authentication Site gets the FQDN and port number from the database for the Admin Site and notifies the browser
  7. The browser is redirected to the FQDN and port number configured for the Admin Site

For this example I want access the Admin Site on https://admin.hyper-v.nu and the Admin Authentication Site on https://admin.hyper-v.nu:30072. I will describe each configuration step referencing the numbers in the picture.

1. You enter the NetBIOS name of the server with the port configured in IIS for the Admin Site

  • When you enter the new URL (https://admin.hyper-v.nu) in the browser, the client performs a DNS query. Make sure that the DNS server that the client uses resolves the FQDN to the IP address of the server hosting the Admin Site and Admin Authentication Site.
  • Import a web server certificate on the server running the Admin Site and the Admin Authentication Site. The web server certificate should be issued by a Certificate Authority that is trusted by the client. The web server certificate can be a wildcard certificate and should be issued by a public Certificate Authority when using it in a production environment.
  • Change the port of the Admin Site in IIS from the default 30091 to 443 and change the self-signed certificate to the trusted web server certificate.
  • Change the self-signed certificate of the Admin Authentication Site to the trusted web server certificate.

2. Windows Azure Pack gets the Admin Site Fully Qualified Domain Name (FQDN) and port number from the database and notifies the browser

  • We need to change the FQDN and the port number of the Admin Site that is configured in the database. Open PowerShell on the server running Admin Site and the Admin Authentication Site. Import the MgmtSvcConfig module by running the following command.
  • Import-Module -Name MgmtSvcConfig
  • Change the FQDN and port number of the Admin Site with the following command. Change the FQDN to your own value and the Server entry to the name of your SQL server hosting the Windows Azure Pack databases.
  • Set-MgmtSvcFqdn -Namespace “AdminSite” -FullyQualifiedDomainName “admin.hyper-v.nu” -Port 443 -Server “SQL1”

4. The Admin Site detects you have not have the correct token to validate and notifies the browser with the FQDN and port number of the Admin Authentication Site configured in the database

  • With the MgmtSvcConfig module imported in PowerShell (see step 2), run the following command to change the FQDN and port number of the Admin Authentication Site in the Windows Azure Pack database. Change the FQDN to your own value and the Server entry to the name of your SQL server hosting the Windows Azure Pack databases.
  • Set-MgmtSvcFqdn -Namespace “WindowsAuthSite” -FullyQualifiedDomainName “admin.hyper-v.nu” -Port 30072 -Server “SQL1”
  • The Admin Site needs to be updated with the new FQDN and port number for the Admin Authentication Site. Run the following command to create a variable containing the information about your SQL Server hosting the Windows Azure Pack databases.
  • $ConnectionString = ‘Data Source=SQL1;Initial Catalog=Microsoft.MgmtSvc.Config;User ID=sa;Password=P@ssw0rd1’
  • The following command updates the information about the Admin Authentication Site that is contained within the Admin Site and references the variable $ConnectionString we just created. Change the MetadataEndpoint so it contains your own FQDN. The parameter –DisableCertificateValidation is optional and only necessary if you are using untrusted (self-signed) certificates.
  • Set-MgmtSvcRelyingPartySettings -Target Admin -MetadataEndpoint ‘https://admin.hyper-v.nu:30072/FederationMetadata/2007-06/FederationMetadata.xml‘ -ConnectionString $ConnectionString -DisableCertificateValidation
  • You can verify if the new entry is configured by hitting the endpoint on the following URL https://admin.hyper-v.nu:30072/FederationMetadata/2007-06/FederationMetadata.xml

6. After validation a token is provided and the Admin Authentication Site gets the FQDN and port number from the database for the Admin Site and notifies the browser

  • The Admin Authentication Site also needs to be updated with the new FQDN and port number for the Admin Site. With the MgmtSvcConfig module imported in PowerShell (see step 2), run the following command to create a variable containing the information about your SQL Server hosting the Windows Azure Pack databases. If you are in the same PowerShell session this variable is still available.
  • $ConnectionString = ‘Data Source=SQL1;Initial Catalog=Microsoft.MgmtSvc.Config;User ID=sa;Password=P@ssw0rd1’
  • The following command updates the information about the Admin Site that is contained within the Admin Authentication Site and references the variable $ConnectionString we just created. Change the MetadataEndpoint so it contains your own FQDN. The parameter –DisableCertificateValidation is optional and only necessary if you are using untrusted (self-signed) certificates.
  • Set-MgmtSvcIdentityProviderSettings -Target Windows -MetadataEndpoint ‘https://admin.hyper-v.nu/FederationMetadata/2007-06/FederationMetadata.xml’ -ConnectionString $ConnectionString -DisableCertificateValidation

After completing the configurations steps on the server running the Admin Site and the Admin Authentication Site the process now takes the steps from the following image.

Admin FQDN

When you connect from the client on the new FQDN you will be prompted to authenticate. This is expected since the Admin Authentication Site is running on a custom port with a FQDN. If you authenticate with the domain admin credentials you will be redirected and able to access the Admin Site with the new FQDN. If you add the new Admin Site URL (https://admin.hyper-v.nu) to the Local Intranet Zones in Internet Explorer you will have a true Single Sign on experience.

The Tenant Site

The steps for configuring the Tenant Site are in essence the same. The actual PowerShell command have some other values for certain parameters. I will describe the complete process again so you can configure the Admin Site and the Tenant Site separately by just following the steps. In a default configuration the Tenant Site is configured on port 30081 and the Tenant Authentication Site is configured on port 30071. The Tenant Site and the Tenant Authentication Site will be changed to port 443 for external access. The Tenant Site is installed on a dedicated virtual machine (in this example WAP02) en the Tenant Authentication Site installed on a separate virtual machine (in this example WAP03). Accessing the the Tenant site through a browser can be divided in to the following seven steps.

Tenant Default

  1. You enter the NetBIOS name of the server with the port configured in IIS for the Tenant Site
  2. Windows Azure Pack gets the Tenant Site Fully Qualified Domain Name (FQDN) and port number from the database and notifies the browser
  3. The browser is redirected to the FQDN and port number of the Tenant Site configured in the Windows Azure Pack database
  4. The Tenant Site detects you do not have the correct token to validate and notifies the browser with the FQDN and port number of the Tenant Authentication Site configured in the database
  5. The browser is redirected to the FQDN and port number configured for the Tenant Authentication Site in the Windows Azure Pack database
  6. After manual validation a token is provided and the Tenant Authentication Site gets the FQDN and port number from the database for the Tenant Site and notifies the browser
  7. The browser is redirected to the FQDN and port number configured for the Tenant Site

For this example I want access the Tenant Site on https://manage.hyper-v.nu and the Tenant Authentication Site on https://logon.hyper-v.nu. I will describe each configuration step referencing the numbers in the picture. Since the PowerShell command can only reference the NameSpaces (websites) that are installed on a server you need to pay attention on what server each command should be executed.

1. You enter the NetBIOS name of the server with the port configured in IIS for the Admin Site

  • When you enter the new URL (https://manage.hyper-v.nu) in the browser, the client performs a DNS query. Make sure that the DNS server that the client uses resolves the FQDN to the IP address of the server hosting the Tenant Site and Tenant Authentication Site. If you want the tenant to access the Tenant Site externally you will need to register two DNS records in your public DNS zone. (In this example we need to register the A record manage and the A record logon in the public DNS zone hyper-v.nu and point these records to public IP addresses that I can NAT to the two websites.
  • Import a web server certificate on the server running the Tenant Site and on the server running the Tenant Authentication Site. The web server certificate should be issued by a Certificate Authority that is trusted by the client. The web server certificate can be a wildcard certificate and should be issued by a public Certificate Authority when using it in a production environment.
  • Change the port of the Tenant Site in IIS from the default 30081 to 443 and change the self-signed certificate to the trusted web server certificate.
  • Change the port of the Tenant Authentication Site in IIS from the default 30071 to 443 and change the self-signed certificate to the trusted web server certificate.

2. Windows Azure Pack gets the Tenant Site Fully Qualified Domain Name (FQDN) and port number from the database and notifies the browser

  • We need to change the FQDN and the port number of the Tenant Site that is configured in the database. Open PowerShell on the server running the Tenant Site. Import the MgmtSvcConfig module by running the following command.
  • Import-Module -Name MgmtSvcConfig
  • Change the FQDN and port number of the Tenant Site with the following command. Change the FQDN to your own value and the Server entry to the name of your SQL server hosting the Windows Azure Pack databases.
  • Set-MgmtSvcFqdn -Namespace “TenantSite” -FullyQualifiedDomainName “manage.hyper-v.nu” -Port 443 -Server “SQL1”

4. The Tenant Site detects you have not have the correct token to validate and notifies the browser with the FQDN and port number of the Tenant Authentication Site configured in the database

  • Open PowerShell on the server running the Tenant Authentication Site. Import the MgmtSvcConfig module by running the following command.
  • Import-Module -Name MgmtSvcConfig
  • Run the following command to change the FQDN and port number of the Tenant Authentication Site in the Windows Azure Pack database. Change the FQDN to your own value and the Server entry to the name of your SQL server hosting the Windows Azure Pack databases.
  • Set-MgmtSvcFqdn -Namespace “AuthSite” -FullyQualifiedDomainName “logon.hyper-v.nu” -Port 443 -Server “SQL1”
  • The Tenant Site needs to be updated with the new FQDN and port number for the Tenant Authentication Site. Run the following command on the server running the Tenant Site to create a variable containing the information about your SQL Server hosting the Windows Azure Pack databases.
  • $ConnectionString = ‘Data Source=SQL1;Initial Catalog=Microsoft.MgmtSvc.Config;User ID=sa;Password=P@ssw0rd1’
  • The following command updates the information about the Tenant Authentication Site that is contained within the Tenant Site and references the variable $ConnectionString we just created. Change the MetadataEndpoint so it contains your own FQDN. The parameter –DisableCertificateValidation is optional and only necessary if you are using untrusted (self-signed) certificates. Execute this command in the same PowerShell session used for creating the $ConnectionString variable on the server running Tenant Site.
  • Set-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint ‘https://logon.hyper-v.nu/FederationMetadata/2007-06/FederationMetadata.xml‘ -ConnectionString $ConnectionString –DisableCertificateValidation
  • You can verify if the new entry is configured correctly by hitting the endpoint on the following URL https://logon.hyper-v.nu/FederationMetadata/2007-06/FederationMetadata.xml

6. After validation a token is provided and the Tenant Authentication Site gets the FQDN and port number from the database for the Tenant Site and notifies the browser

  • The Tenant Authentication Site also needs to be updated with the new FQDN and port number for the Tenant Site. Open PowerShell on the server running the Tenant Authentication Site. Import the MgmtSvcConfig module by running the following command.
  • Import-Module -Name MgmtSvcConfig
  • Run the following command to create a variable containing the information about your SQL Server hosting the Windows Azure Pack databases.
  • $ConnectionString = ‘Data Source=SQL1;Initial Catalog=Microsoft.MgmtSvc.Config;User ID=sa;Password=P@ssw0rd1’
  • The following command updates the information about the Tenant Site that is contained within the Tenant Authentication Site and references the variable $ConnectionString we just created. Change the MetadataEndpoint so it contains your own FQDN. The parameter –DisableCertificateValidation is optional and only necessary if you are using untrusted (self-signed) certificates.
  • Set-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint ‘https://manage.hyper-v.nu/FederationMetadata/2007-06/FederationMetadata.xml’ -ConnectionString $ConnectionString –DisableCertificateValidation
  • You can verify if the new entry is configured correctly by hitting the endpoint on the following URL https://manage.hyper-v.nu/FederationMetadata/2007-06/FederationMetadata.xml

After completing the configurations steps on the server running the Tenant Site and the server running the Tenant Authentication Site the process now takes the steps as displayed in the following image.

Tenant FDQN

I did a lot of trail and error before I got the configuration steps for this blog. If you find any errors or easier steps to get the same configuration, I’m very interested in hearing them. You can use the information in this blog and combine it with the documentation here to configure your environment for ADFS.

More Information

Technet Documentation

Remote Console in System Center 2012 R2

6 Comments

  1. October 29, 2013    

    You said “Before we start it is good to understand that it is not possible to have multiple sites on a single server listening on the same default SSL port 443.” Have you tried using host headers? http://technet.microsoft.com/en-us/library/cc753195(v=ws.10).aspx

    • October 29, 2013    

      Hi Brandon,
      I haven’t tried that but it might work. It would be very interesting for express installations (lab or demo environments) where a single IP could still provide all services on port 443.
      Thanks for your suggestion.
      Marc

    • November 4, 2013    

      Hi,

      I successfully published Azure Pack on a single server on the internet, behind TMG.
      The Azure server has only 1 IP, just setup host name identification with correct FQDN in your bindings
      HTH

      • December 3, 2013    

        Was the Internal FQDN same as the public URL?

  2. October 30, 2013    
  3. Arthur Arthur
    March 10, 2014    

    Hi Marc,

    I think there is an error in part 6 of the Tenant Site config : the last Set-MgmtSvcIdentityProviderSettings with -Target Membership must be done on the TenantSite server, not on the TenantAuth server.

    Thanks A LOT for this post and your blog in general !

1 Trackback

  1. Windows Azure for your Datacenter | Thomas Maurer on January 28, 2014 at 18:01
  2. Windows Azure Pack (WAP) – An Introduction… | stefanroth.net on January 30, 2014 at 17:28
  3. Windows Azure Pack: Customize the URLs | vNext.be on April 7, 2014 at 22:05
  4. Windows Azure Pack: Customize the URLs | Christopher's System Center Blog on April 7, 2014 at 22:17
  5. Simple and secure by Design but Business compliant [Benoît SAUTIERE / MVP] on September 21, 2014 at 17:31

Leave a Reply

Your email address will not be published. Required fields are marked *

Our Sponsors

Powered by