How can I solve expired self-signed certificate errors with Windows Azure Pack?

How can I solve expired self-signed certificate errors with Windows Azure Pack?

Q. I'm receiving a 500 error connecting to my Windows Azure Pack portals and the Event Log shows a certificate error, how can I fix this?

A. When Windows Azure Pack is installed by default, it uses a self-signed certificate for the authentication sites (tenant and administration). These certificates last for one year. After that time, they are no longer valid and authentication will fail. If you look in the event logs (MgmtSvc-TenantSite and MgmtSvc-AdminSite) you should see error:

Error:Unhandled exception: SecurityTokenValidationException: Jwt10329: Unable to validate signature, Configuration.IssuerTokenResolver.ResolveToken returned null. jwt.Header.SigningKeyIdentifier: 'SecurityKeyIdentifier

The solution is to create new certificates.

This can be done with PowerShell but you need to know the SQL Server, the username and password and the WAP passphrase:

# SQL Server DNS name
$Server = "sqlserver.domain.net"

# SQL User and Password
$userid = "sa"
$password = "Password"

# PassPhrase which you have defined during install of WAP
$PassPhrase = "PassPhrase"
$NameSpace = "AuthSite" 

# Get current signing certificate thumbprint
$setting = Get-MgmtSvcSetting -Namespace $NameSpace -Name Authentication.SigningCertificateThumbprint
$oldThumbprint = $setting.Value

# Remove the old certificate from the global config store
$Result = Set-MgmtSvcDatabaseSetting -Namespace $NameSpace -Name Authentication.SigningCertificate -Value $Null -ConnectionString $ConfigconnectionString -PassPhrase $PassPhrase -Force -confirm:$false

# 3. Re-initialize the authentication service to generate a new signing certificate and reconfigure
Initialize-MgmtSvcFeature -Name $NameSpace -Passphrase $PassPhrase -ConnectionString $ConfigconnectionString -Verbose
$NameSpace = "WindowsAuthSite" 

# Get current signing certificate thumbprint
$setting = Get-MgmtSvcSetting -Namespace $NameSpace -Name Authentication.SigningCertificateThumbprint
$oldThumbprint = $setting.Value

# Remove the old certificate from the global config store
$Result = Set-MgmtSvcDatabaseSetting -Namespace $NameSpace -Name Authentication.SigningCertificate -Value $Null -ConnectionString $ConfigconnectionString -PassPhrase $PassPhrase -Force -confirm:$false

# Re-initialize the authentication service to generate a new signing certificate and reconfigure
Initialize-MgmtSvcFeature -Name $NameSpace -Passphrase $PassPhrase -ConnectionString $ConfigconnectionString -Verbose

Note that this would have to be repeated every year. A better approach is to use certificates from your enterprise CA. This is documented at http://blogs.technet.com/b/privatecloud/archive/2013/12/10/windows-azure-pack-reconfigure-portal-names-ports-and-use-trusted-certificates.aspx.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish