blue azure windows clouds

Enable AD FS with Windows Azure Pack

Q: How do I enable Active Directory Federation Services with Windows Azure Pack?

A: To enable Active Directory Federation Services (AD FS) for Windows Azure Pack (for example, if you want the tenant site to authenticate against Active Directory), follow the excellent instructions in the Microsoft TechNet article "Configure Active Directory Federation Services for Windows Azure Pack." If you already have AD FS configured, the setup is fairly basic. To configure the administrator and tenant to use AD FS, run the following code on the Windows Azure Pack servers:

Set-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint -ConnectionString ';User Id=sa;Password=<SA Password>;'
Set-MgmtSvcRelyingPartySettings -Target Admin -MetadataEndpoint -ConnectionString ';User Id=sa;Password=<SA Password>;'
Set-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint -ConnectionString ';User Id=sa;Password=<SA Password>;'

Replace with your SQL Server name and with your AD FS server name. Note that I removed the use of self-signed certificates in all my examples; for a test or dev environment that uses self-signed certificates, use the -DisableCertificateValidation option and the -allowSelfSignCertificates option in the later scripts (as documented by Microsoft). After this is configured, you can add administrators—for example:

$adminuser = '[email protected]'
$dbServer = ''
$dbUsername = 'sa'
$dbPassword = '<SA Password>'
$connectionString = [string]::Format('Server= {0} ;Initial Catalog=Microsoft.MgmtSvc.Store;User Id={1};Password={2};',$dbServer, $dbUsername, $dbPassword)

Add-MgmtSvcAdminUser -Principal $adminuser -ConnectionString $connectionstring

You can run the following code to view all the administrators:

Get-MgmtSvcAdminUser -ConnectionString $connectionstring

Next, you need to configure the AD FS server. Copy the configure-adfs.ps1 script from the Windows Azure Pack server (in C:\Program Files\Management Service\MgmtSvc-PowerShellAPI\Samples\Authentication) to the AD FS server, then run it to configure the AD FS server. (Again, replace the URLs for Windows Azure Pack with your own.)

$tenantSite = ''
$adminSite = ''
$authSite = ''

& "C:\Tools\configure-adfs.ps1" `
–identityProviderMetadataEndpoint "https://$authSite/federationmetadata/2007-06/federationmetadata.xml" `
-tenantRelyingPartyMetadataEndpoint "https://$tenantSite/federationmetadata/2007-06/federationmetadata.xml" `
-adminRelyingPartyMetadataEndpoint "https://$adminSite/federationmetadata/2007-06/federationmetadata.xml" `

I also ran the following commands to configure the tenant portal to use Active Directory for authentication:

Set-AdfsRelyingPartyTrust -TargetName "MgmtSvc-TenantSite" -ClaimsProviderName @("Active Directory")
Update-AdfsRelyingPartyTrust -TargetName "MgmtSvc-TenantSite"

When users log on to the tenant portal, the user will authenticate via AD FS and a user object is created in Windows Azure Pack automatically. The users can then add subscriptions. Internally, users are stored in the table mp.Users, in the database Microsoft.MgmtSvc.Store. Subscriptions are stored in mp.Subscriptions. Do not edit any of this data; it's useful only for troubleshooting.

If you experience problems with users logging on, check the Event Viewer on the Windows Azure Pack server at Applications and Services Logs, Microsoft, WindowsAzurePack, MgmtSvc-TenantSite, Operational. I had some problems related to a user I had manually provisioned in Windows Azure Pack that conflicted with a name in Active Directory that I had deleted. This resulted in its token being stored in mp.InvalidatedUserTokens. I deleted these entries, cleared the cookies, and performed an IISRESET on the Windows Azure Pack servers, which fixed the issue.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.