Sunday, June 1, 2014

Reconfiguring Azure Pack - the high privileged services

This is actually a follow-up blog post on something that my good friend Flemming Riis wrote earlier:

His blog post described how we changed the tenant site and the tenant authentication site from using the defaults FQDN and ports to something we wanted.

This blog post will show how to do nearly the same, only on your high privileged services, like the admin site and the admin authentication site (the stuff located behind your firewall).

To give you an overview of the end result, this is how our fabric is configured when it comes to Windows Azure Pack:

We are running the high-privileged services on a single virtual machine. That means we will use a single IP for these services, so we must also use Service Name Indication that enables hostheader for SSL.

1.       We created two new records in the “” zone in DNS. Both records (adminwap – for the admin portal, and adminauth – for the authentication) points to the same IP address.
2.       We installed the * certificate on the server
3.       We changed the ports on both the admin site and the windowsauth site in IIS, enabled SNI and associated with the * cert (see screenshots below)

4.       We ran the following cmdlets on the server:

 Set FQDN for the AdminSite

Set-MgmtSvcFqdn –Namespace “AdminSite” –FullyQualifiedDomainName “” –Port 443 –Server “SQLWAP”

Set FQDN for the WindowsAuthSite

SetMgmtSvcFqdn –Namespace “WindowsAuthSite” –FullyQualifiedDomainName “” –Port 443 –Server “SQLWAP”

Re-establish trust for management portal

Set-MgmtSvcRelyingPartySettings –Target admin –MetadataEndpoint ‘’ –ConnectionString “Data;User ID=sa;password=*”

Re-establish trust for authentication site

Set-MgmtSvcIdentityProviderSettings –Target windows –MetadataEndpoint ‘’ –ConnectionString “Data;user id=sa;password=*”

Once this was accomplished, we were able to logon to the management portal using

No comments: