AzurePack: How to re-run ADFS trust settings for AzurePack portal

  • [アーティクル]

 

Quite often I have come across situations where ADFS trust was broken for admin or the tenant portal. And the only option we had was to rerun the trust settings again.

To re-run the trust between all components, we will follow the steps mentioned in this article:

https://technet.microsoft.com/en-us/library/dn457746.aspx

Following steps are from my wiki to perform ADFS re-run:

Step 1: Configure the Admin\Tenant management portals to trust AD FS

On Admin Portal server:

Set-MgmtSvcRelyingPartySettings –Target Admin –MetadataEndpoint https://<fqdn>/FederationMetadata/2007-06/FederationMetadata.xml -ConnectionString $ConnectionString

On Tenant Portal server:

Set-MgmtSvcRelyingPartySettings –Target Tenant –MetadataEndpoint https://<fqdn>/FederationMetadata/2007-06/FederationMetadata.xml -ConnectionString $ConnectionString

Step 2: Add users to have access to the management portal for administrators

On Admin API server:

$adminuser = 'domainuser1@mydomain.com'

$dbServer = 'AzurePack-sql'

$dbUsername = 'sa'

$dbPassword = 'SQL_Password'

$connectionString = [string]::Format('Server= {0} ;Initial Catalog=Microsoft.MgmtSvc.Store;User Id={1};Password={2};',$dbServer, $dbUsername, $dbPassword)

Add-MgmtSvcAdminUser -Principal $adminuser -ConnectionString $connectionstring

Step 3: Configure the Admin\Tenant authentication site to trust AD FS

On WindowsAuth Server:

Set-MgmtSvcIdentityProviderSettings –Target Windows –MetadataEndpoint https://<fqdn>/federationmetadata/2007-06/federationmetadata.xml -ConnectionString $connectionstring

On TenantAuth Server:

Set-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint https://< fqdn>/FederationMetadata/2007-06/FederationMetadata.xml -ConnectionString $connectionstring

Step 4: Configure AD FS to trust the management portals

a. Locate the configure-adfs.ps1 configuration script that is installed with Windows Azure Pack in C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\Authentication\.

b. Run the configure-adfs.ps1 script on the machine where AD FS is installed.

$tenantSite = 'tenant-AzurePack.contoso.com:30081'

$adminSite = 'admin-AzurePack.contoso.com:30091'

$authSite = 'auth-AzurePack.contoso.com:30071'

& "C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\configure-adfs.ps1" ` –identityProviderMetadataEndpoint "https://$authSite/federationmetadata/2007-06/federationmetadata.xml" ` -tenantRelyingPartyMetadataEndpoint "https://$tenantSite/federationmetadata/2007-06/federationmetadata.xml" ` -adminRelyingPartyMetadataEndpoint "https://$adminSite/federationmetadata/2007-06/federationmetadata.xml" `

Appendix: How to break ADFS tenant trust

Note: Take a backup of Microsoft.MgmtSvc.Store database before breaking ADFS trust

Set-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint https://wapportal:30071/FederationMetadata/2007-06/FederationMetadata.xml -ConnectionString $portalConfigStoreConnectionString -DisableCertificateValidation 

Set-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint https://wapportal:30081/FederationMetadata/2007-06/FederationMetadata.xml -ConnectionString $portalConfigStoreConnectionString -DisableCertificateVaLidation