Configure an ADFS Stamp
HOST VM
On AzS Development Kits, sign in to the physical host.
On multi-node integrated systems, the host must be a system that can access the privileged endpoint.
Prerequisite - Active Directory module for Windows PowerShell:
In Windows Server 2019/2016/2012 R2, you can install the Active Directory module for Windows PowerShell from the Server Manager graphical console using the Add Roles and Features Wizard. Start the wizard and at the stage of selecting features you need to select the item Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > Active Directory module for Windows PowerShell.
Steps:
Place the RegisterVConnectAdminApp.ps1 file in a temp folder. [This file can be found in the install folder of Host VM where VConnect RP was installed: c:\CloudAssert\VConnectMSM\AppRegistration\]
Open a new elevated (administrative) PowerShell console and change to the above directory. Use a new window to avoid problems that might arise from incorrect Power Shell modules that are already loaded on the system
Run the RegisterVConnectAdminApp.ps1 script with appropriate parameters
Parameter Name | Description | Required |
ServiceAdminUser | Go to Admin Portal -> Login as Service Admin -> Subscriptions -> Default Provider Subscription -> Check if role is Owner Eg: admin@contosotest.onmicrosoft.com. | Required |
ServiceAdmin Password | Password for the above ServiceAdmin | Required |
AzureStackAdmin ResourceManager Endpoint | Azure Stack ARM endpoint. Eg: "https://adminmanagement.redmond.masi67.corp.contosotest.com/" | Required |
AzureDirectory TenantId | Azure Directory tenant Id | Required |
AzureEnvironment | Cloud environment Eg: AzureCloud | Required |
IdentitySystemType | Either "AzureAD" or "ADFS" depending on authentication mechanism used in the Azure Stack being added | Required |
AdminSubscriptionId | Default Provider Administrator Subscription ID | Required |
PrivilegedEndpoint | PEP endpoint IP address | Required |
CloudAdminUser | Cloud admin account user name | Required |
CloudAdminPassword | Cloud admin account password | Required |
The script outputs VConnectRegistrationOutput.txt in the same AppRegistration folder having all the information needed to add a new azure stack connection in VConnect coming up next.
VConnect Resource Provider VM
To support certificate authentication, import the .pfx file generated in the above step into VConnect Resource Provider VM. Ensure the certificate is imported into the Personal store of this VM.
Once imported follow below steps to give appropriate permissions:
Open the certificate console (Using MMC) in the VConnect VM.
Go to Personal -> On the imported certificate, Right click -> Select All Tasks, and then click Manage Private Keys.
In the new window, click Add.
Under 'Enter object name to select' type IIS_IUSRS and click OK.
In the previous window, click Apply, and then OK to close the window
ADMIN PORTAL OF THE STAMP WITH RP
Create a new connection from the VConnect admin extension in the admin portal.
Go to the admin portal of the master stamp where VConnect RP is deployed
Go to All Services -> VConnect
Click on Connections
Click on Azure Stack Hub
Click on Add to create a new connection (Use the VConnectRegistrationOutput.txt file to fill in details, screenshots below for reference).
Property | Description |
Connection Name | Name of the stamp |
Owner | Company owning the stamp |
Owner Email | Contact email of the person owning the stamp |
Category | Category Eg: Development, Testing, Production, etc., |
Sub-Category | Sub category if any |
Admin ARM endpoint URL | Admin ARM URL for the stamp |
Location | On an integrated system, the second segment of Admin ARM URL is the location. Eg: "https://adminmanagement.redmond.contoso.com/", in this environment "redmond" is the location On ASDK, the value is "local" |
Admin Subscription ID | Admin subscription Id. From VConnectRegistrationOutput.txt, take the value for AdminSubscriptionId |
Tenant Directory ID | Tenant directory Id. From VConnectRegistrationOutput.txt, take the value for TenantId |
Application ID | Application ID created using above script. From VConnectRegistrationOutput.txt, take the value for ApplicationId |
ApplicationThumbprint | ApplicationThumbprint created using above script. From VConnectRegistrationOutput.txt, take the value for ApplicationThumbprint. Note: ApplicationSecret is not currently supported for ADFS stamps through our scripts |
Proxy Address | Proxy address [Only when a proxy is used to connecting stamps] |
Proxy Port | Proxy port [Only when a proxy is used to connecting stamps] |
Proxy Username | Proxy Username [Only when a proxy is used to connecting stamps] |
Proxy User Password | Proxy User Password [Only when a proxy is used to connecting stamps] |
Admin Portal URL | Admin Portal URL. Auto populated based on Admin ARM URL. Please verify if it is correct. |
Tenant Portal URL | Tenant Portal URL. Auto populated based on Admin ARM URL. Please verify if it is correct. |
Use Default Credentials for Proxy? | Set only when a proxy is used to connecting stamps |
Is Environment Integrated with ADFS? | Check if ADFS |
Skip Server Certificate Validation | Check |
Enable for Provisioning | Check |
Skip Connection Validation | Uncheck |
6. Once a connection is added successfully, please wait for up to 10 minutes for the data to show up in portal. Data pertaining to Alerts, Resource Providers may start showing immediately. Data pertaining to Stamp Overview, Stamps, Updates may take up to 10 minutes to properly show in portal.
Last updated
