Configure the tenant authentication site to trust AD FS

Atualizada: Outubro de 2013

Aplica-se a: Windows Azure Pack for Windows Server

The next step is to add information about Windows Azure Active Directory Federation Services (AD FS) to the tenant authentication sites. By default, the portal de gestão para inquilinos uses ASP.NET Membership Provider authentication. You can choose to use the same ASP.NET Membership Provider as a Claims Provider in AD FS. To do this, you must run the Set-MgmtSvcIdentityProviderSettings cmdlet on any machine where the tenant authentication site is installed.

  1. Ensure that the machine that you configure can access the AD FS web service metadata endpoint. To verify the access, open a browser and go to the same URI that you plan to use for the –MetadataEndpoint parameter. If you can view the .xml file, you can access the federation metadata endpoint.

  2. Run the Set-MgmtSvcIdentityProviderSettings cmdlet on any machine where the authentication site is installed.

    Set-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint https://< fqdn>/FederationMetadata/2007-06/FederationMetadata.xml -DisableCertificateValidation -ConnectionString 'Server=<some server>;User Id=<user with write permissions to all config databases>;Password=<password>;'
    

    The following table shows required information to run the Set- MgmtSvcIdentityProviderSettings cmdlet.

     

    Cmdlet parameter Required information

    -Target

    This parameter is used to indicate which component to configure. Possible values: Membership, Windows.

    -MetadataEndpoint

    The AD FS web service metadata endpoint. Use a valid, accessible, and complete URI, in the following format: https://<AD FS>/FederationMetadata2007-06/FederationMetadata.xml. In the following cmdlets replace $fqdn with an accessible AD FS fully qualified domain name (FQDN).

    -ConnectionString

    The connection string to the instance of Microsoft SQL Server that hosts the portal and API database.

  1. Ensure that the machine that you configure can access the AD FS web service metadata endpoint. To verify the access, open a browser and go to the same URI that you plan to use for the –MetadataEndpoint parameter. If you can view the .xml file, you can access the federation metadata endpoint.

  2. Instead of using the cmdlet, you can run the following Windows PowerShell script.

    $domainName = 'mydomain.com'
    $adfsPrefix = 'AzurePack-adfs'
    
    $dnsName = ($adfsPrefix + "." + $domainName)
    
    # Enter Sql Server details here
    $dbServer = 'AzurePack-sql'
    $dbUsername = 'sa'
    $dbPassword = '<SQL_password>'
    $connectionString = [string]::Format('Data Source={0};User ID={1};Password={2}', $dbServer, $dbUsername, $dbPassword)
    
    # Note: Use the "DisableCertificateValidation" switch only in test environments. In production environments, all 
    # SSL certificates should be valid.
    
    Set-MgmtSvcIdentityProviderSettings -Target Membership `
    -MetadataEndpoint https://$dnsName/FederationMetadata/2007-06/FederationMetadata.xml `
     -DisableCertificateValidation `
    -ConnectionString $connectionString `
    

Mostrar: