Configure the management portals to trust AD FS

Atualizada: Outubro de 2013

Aplica-se a: Windows Azure Pack for Windows Server

After you configure Active Directory Federations Services (AD FS), you must configure portal de gestão para administradores and portal de gestão para inquilinos to trust AD FS. You can either run the Set-MgmtSvcRelyingPartySettings cmdlet or run a Windows PowerShell script.

  1. Run the Set-MgmtSvcRelyingPartySettings cmdlet on each machine where the administrator or tenant portal is installed.

    Before you run the Set-MgmtSvcRelyingPartySettings cmdlet, ensure that the machine that you configure can access the AD FS web service metadata endpoint. To verify access, open a browser and go to the same URI that you plan to use for the –MetadataEndpoint parameter. If you can view the .xml file, you can access the federation metadata endpoint.

  2. Now, run the Set-MgmtSvcRelyingPartySettings cmdlet.

    Set-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint https://<fqdn>/FederationMetadata/2007-06/FederationMetadata.xml -DisableCertificateValidation -ConnectionString 'Server=<some server>;User Id=<user with write permissions to all config databases>;Password=<password>;'
    

    The following table shows required information to run the Set-MgmtSvcRelyingPartySettings cmdlet.

     

    Cmdlet parameter Required information

    -Target

    This parameter is used to indicate which portal to configure. Possible values: Admin, Tenant.

    -MetadataEndpoint

    The AD FS web service metadata endpoint. Use a valid, accessible, and complete URI, in the following format: https://<AD FS>/FederationMetadata/2007-06/FederationMetadata.xml. In the following cmdlets, replace $fqdn with an accessible AD FS fully qualified domain name (FQDN).

    -ConnectionString

    The connection string to the instance of Microsoft SQL Server that hosts the management portal configuration database.

  • Instead of using the cmdlet, you can run the following Windows PowerShell script on each machine where the administrator or tenant portal is installed.

    $domainName = 'mydomain.com'
    $adfsPrefix = 'AzurePack-adfs'
    
    $dnsName = ($adfsPrefix + "." + $domainName)
    
    # Enter Sql Server details here
    $dbServer = 'AzurePack-sql'
    $dbUsername = 'sa'
    $dbPassword = '<SQL_password>'
    $connectionString = [string]::Format('Data Source={0};User ID={1};Password={2}', $dbServer, $dbUsername, $dbPassword)
    
    # Note: Use the "DisableCertificateValidation" switch only in test environments. In production environments, 
    # all SSL certificates should be valid.
    Set-MgmtSvcRelyingPartySettings -Target Tenant `
    -MetadataEndpoint https://$dnsName/FederationMetadata/2007-06/FederationMetadata.xml `
    -DisableCertificateValidation -ConnectionString $connectionString
    
    

  • If you want to add users to have access to the portal de gestão para administradores, you must run the Add-MgmtSvcAdminUser cmdlet on the machine hosting the Admin API. The connection string should point to the Management Portal Configuration database.

    The following code example shows how users are added to get access.

    $adminuser = 'domainuser1@mydomain.com'
    $dbServer = 'AzurePack-sql'
    $dbUsername = 'sa'
    $dbPassword = 'SQL_Password'
    $connectionString = [string]::Format('Server= {0} ;Initial Catalog=Microsoft.MgmtSvc.Store;User Id={1};Password={2};',$dbServer, $dbUsername, $dbPassword)
    
    Add-MgmtSvcAdminUser -Principal $adminuser -ConnectionString $connectionstring 
    
    

    noteNota
    • The format of the $dbuser must match the user principal name (UPN) that is sent by AD FS.

    • Administrator users must be individual users. You cannot add AD groups as administrator users.

Mostrar: