Configure an ADFS Stamp

HOST VM

On AzS Development Kits, sign in to the physical host.
On multi-node integrated systems, the host must be a system that can access the privileged endpoint.

Prerequisite - Active Directory module for Windows PowerShell:

In Windows Server 2019/2016/2012 R2, you can install the Active Directory module for Windows PowerShell from the Server Manager graphical console using the Add Roles and Features Wizard. Start the wizard and at the stage of selecting features you need to select the item Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory module for Windows PowerShell.

Steps:

  1. 1.
    Place the RegisterVConnectAdminApp.ps1 file in a temp folder. [This file can be found in the install folder of Host VM where VConnect RP was installed: c:\CloudAssert\VConnectMSM\AppRegistration\]
  2. 2.
    Open a new elevated (administrative) PowerShell console and change to the above directory. Use a new window to avoid problems that might arise from incorrect Power Shell modules that are already loaded on the system
  3. 3.
    Run the RegisterVConnectAdminApp.ps1 script with appropriate parameters
.\RegisterVConnectAdminApp.ps1 -ServiceAdminUser '' -AzureStackAdminResourceManagerEndpoint '' -AzureDirectoryTenantName '' -AzureEnvironment 'AzureCloud' -IdentitySystemType 'ADFS' -PrivilegedEndpoint '192.168.200.224' -CloudAdminUser '' -adminSubscriptionId ''
Eg:
.\RegisterVConnectAdminApp.ps1 -ServiceAdminUser '[email protected]' -AzureStackAdminResourceManagerEndpoint 'https://adminmanagement.local.contoso.com' -AzureDirectoryTenantName 'cloudassertrp.contoso.com ' -AzureEnvironment 'AzureCloud' -IdentitySystemType 'ADFS' -PrivilegedEndpoint ‘191.168.200.224’ -CloudAdminUser '[email protected]' -adminSubscriptionId 'a7f2bc5b-2287-4a8b-b256-dcb14dd06878'
Parameter Name
Description
Required
ServiceAdminUser
Go to Admin Portal -> Login as Service Admin -> Subscriptions -> Default Provider Subscription -> Check if role is Owner Eg: [email protected]
Required
AzureStackAdmin
ResourceManager
Endpoint
Azure Stack ARM endpoint. Eg: "https://adminmanagement.redmond.masi67.corp.contosotest.com/"
Required
AzureDirectory
TenantName
Azure Directory tenant name
Required
AzureEnvironment
Cloud environment Eg: AzureCloud
Required
IdentitySystemType
Either "AzureAD" or "ADFS" depending on authentication mechanism used in the Azure Stack being added
Required
AdminSubscriptionId
Default Provider Administrator Subscription ID
Required
PrivilegedEndpoint
PEP endpoint IP address
Required
CloudAdminUser
Cloud admin account user name
Required
The script outputs VConnectRegistrationOutput.txt in the same AppRegistration folder having all the information needed to add a new azure stack connection in VConnect coming up next.

VConnect Resource Provider VM

To support certificate authentication, import the .pfx file generated in the above step into VConnect Resource Provider VM. Ensure the certificate is imported into the Personal store of this VM.
Once imported follow below steps to give appropriate permissions:
  1. 1.
    Open the certificate console (Using MMC) in the VConnect VM.
  2. 2.
    Go to Personal -> On the imported certificate, Right click -> Select All Tasks, and then click Manage Private Keys.
  3. 3.
    In the new window, click Add.
  4. 4.
    Under 'Enter object name to select' type IIS_IUSRS and click OK.
  5. 5.
    In the previous window, click Apply, and then OK to close the window

VCONNECT ADMIN EXTENSION

Create a new connection from the VConnect admin extension in the admin portal.
  1. 1.
    Go to the admin portal of the master stamp where VConnect RP is deployed
  2. 2.
    Go to All Services → VConnect → Connections → Azure Stack Hub
  3. 3.
    Click on Add button to create new connection.

Basic Settings

Use the VConnectRegistrationOutput.txt file to fill in details, screenshots below for reference.
Property
Description
Connection Name
Name of the stamp
Admin ARM endpoint URL
Admin ARM URL for the stamp
Location
On an integrated system, the second segment of Admin ARM URL is the location. Eg: "https://adminmanagement.redmond.contoso.com/", in this environment "redmond" is the location
On ASDK, the value is "local"
Admin Subscription ID
Admin subscription Id. From VConnectRegistrationOutput.txt, take the value for AdminSubscriptionId
Tenant Directory ID
Tenant directory Id. From VConnectRegistrationOutput.txt, take the value for TenantId
Application ID
Application ID created using above script. From VConnectRegistrationOutput.txt, take the value for ApplicationId
ApplicationThumbprint
ApplicationThumbprint created using above script. From VConnectRegistrationOutput.txt, take the value for ApplicationThumbprint. Note: ApplicationSecret is not currently supported for ADFS stamps through our scripts
Proxy Address
Proxy address [Only when a proxy is used to connecting stamps]
Proxy Port
Proxy port [Only when a proxy is used to connecting stamps]
Proxy Username
Proxy Username [Only when a proxy is used to connecting stamps]
Proxy User Password
Proxy User Password [Only when a proxy is used to connecting stamps]
Admin Portal URL
Admin Portal URL. Auto populated based on Admin ARM URL. Please verify if it is correct.
Tenant Portal URL
Tenant Portal URL. Auto populated based on Admin ARM URL. Please verify if it is correct.
Use Default Credentials for Proxy?
Set only when a proxy is used to connecting stamps
Skip Server Certificate Validation
Check
Enable for Provisioning
Check
Skip Connection Validation
Uncheck

Offline Repository Details

Offline Repository settings in connection page allows operator to use different for a single stamp.
"Offline Repository Details" settings will be visible only when Offline Marketplace Download settings is configured.
Property
Description
Offline Marketplace Enabled?
Use this to setting to enable/disable Offline Marketplace feature in stamp level. When setting is false Marketplace Items will be downloaded into stamp directly from Azure
Use Global Marketplace Settings?
Set this settings to use the Offline Repository details configured in the VConnect → Settings → Azure Stack Hub - Marketplace Settings page
Shared Folder Path
Shared folder path to store offline Marketplace items
Username
Username for the share folder path. (Optional)
Password
Password for the share folder user account. (Optional)

Remote PowerShell Machine details

For each connection, separate remote PowerShell machine can be set to the global setting (VConnect → Settings → Azure Stack Hub - Remote PowerShell Settings) can be used. This needs to be configured when the Azure Stack Hub stamp has different Az PowerShell module version or if there is a VPN dependency
"Remote PowerShell Machine" settings will be visible only when Offline Marketplace Download settings is configured.
Property
Description
Use Global Remote Machine settings?
Set this settings to use the Offline Repository details configured in the VConnect → Settings → Azure Stack Hub - Remote PowerShell Settings
Remote Machine
Virtual machine name/IP address
Remote Machine Username
Username of an account with Administrator privilege
Remote Machine Password
Password for the user account used
Use HTTPS for WMI?
Set this to use HTTPS encryption for WMI
Remote Machine WMI Port
Configured port number for the WMI connection

Marketplace Syndication Credentials

This setting will be useful when the stamps are registered with different Azure Subscription and has different set of Marketplace items.
"Marketplace Syndication Credentials" settings will be visible only when Offline Marketplace Download settings is configured.
Property
Description
Use Global Azure App Syndication settings?
Enable / Disable this settings to use the Offline Repository details configured in the VConnect → Settings → Azure Stack Hub - Syndication Application details
Azure Subscription Id
Azure subscription Id against which the stamp is registered
Azure Directory Tenant Id
Active Directory Tenant Id
Azure Application Id
Azure Application Id
Azure Application Secret
Azure Application Secret

Tags

Tags such 'Owner details' and 'Categories' can be specified for report generations.
Property
Description
Owner
Company owning the stamp
Owner Email
Contact email of the person owning the stamp
Category
Category Eg: Development, Testing, Production, etc.,
Sub-Category
Sub category if any
6. Once a connection is added successfully, please wait for up to 10 minutes for the data to show up in portal. Data pertaining to Alerts, Resource Providers may start showing immediately. Data pertaining to Stamp Overview, Stamps, Updates may take up to 10 minutes to properly show in portal.