Monday, 2 March 2015

Configure WAP for SSL Certificates


Embarking on this work I followed this excellent Blog post by Anders Ravnholt which led me to add notes on my experience of setting up WAP Certificates, Anders expands on other sections which I felt are not worth re-writing.

Anders Blog post can be found:
http://blogs.technet.com/b/privatecloud/archive/2013/12/10/windows-azure-pack-reconfigure-portal-names-ports-and-use-trusted-certificates.aspx

Setting up the Windows Azure Pack to use SSL Certificates:
My reference notes:
1)      Pre Requisites:

a)      Presumes you have the standard WAP Express installed

b)      Assumes you have your own local Certificate Authority or access to the Certificates needed

c)       Appropriate permissions

d)      SSL Certificates

i)        For this I will use three Certificates generated from my Certificate Authority

(1)    Azure.domain.local

(2)    AzureAdmin.domain.local

(3)    WAPHost.doman.local

e)      DNS Entries

i)        Create the following DNS A Records:

(1)    Waphost.domain.local                   10.10.1.123

(2)    Azure.domain.local                         10.10.1.123

(3)    AzureAdmin.domain.local            10.10.1.123

2)      Install all three Certificates on to WAPhost.domain.local

3)      Configure up IIS ports and bindings as follows:




As you may notice above we have two sites that share the 443 binding. It is important that when setting the certificate on these two site you ensure the host name and Require Server Name Indication check box is ticked. Failing to do this will present an error and will set the 443 sites to both use the same certificate which is not desired.

For more information see:

http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability

Edit the bindings on both the MgmtSvc-AdminSite and MgmtSvc-TenantSite respectively ensuring you set the correct Host Name, SSL Certificate and that the SNI checkbox is ticked.




Authentication is set depending on your requirements and settings below are for example purposes only, however for this installation the following authentications were set:

Site
Authentication
MgmtSvc-SQLServer
Anonymous
Azure.domain.local
MgmtSvc-WebAppGallery
Anonymous
Azure.domain.local
MgmtSvc-WindowsAuthSite
Windows, Anonymous
WAPHost.domain.local
MgmtSvc-TenantAPI
Anonymous
Azure.domain.local
MgmtSvc-AdminAPI
Anonymous
Azure.domain.local
MgmtSvc-TenantPublicAPI
Anonymous
Azure.domain.local
MgmtSvc-Usage
Anonymous
Azure.domain.local
MgmtSvc-UsageCollector
Anonymous
Azure.domain.local
MgmtSvc-Monitoring
Anonymous
Azure.domain.local
MgmtSvc-ConfigSite
Windows
Azure.domain.local
MgmtSvc-AuthSite
Windows
Azure.domain.local
MgmtSvc-AdminSite
Windows
AzureAdmin.domain.local
MgmtSvc-TenantSite
Anonymous
Azure.domain.local

From an elevated PowerShell prompt with a user with sufficient permission, run the following commands:

Note: SQL connections strings can be modified to use explicit connection details if required.

If not already imported, import the module:
Import-Module -Name MgmtSvcConfig

Admin Portal:

Set-MgmtSvcFqdn -Namespace "AdminSite"
-FullyQualifiedDomainName "AzureAdmin.domain.local" -Port 443 -Server
"YOURSQLSERVER"

Set-MgmtSvcRelyingPartySettings –Target Admin
–MetadataEndpoint 'https://WAPHost.domain.local:30072/FederationMetadata/2007-06/FederationMetadata.xml'
-ConnectionString "Data Source= YOURSQLSERVER;Integrated Security =
True"

Note: You may have errors running the next command which will more than likely be permission related, as a work around set the site to Anonymous Access temporary and remember to set it back afterwards.

Set-MgmtSvcIdentityProviderSettings –Target Windows
–MetadataEndpoint 'https://AzureAdmin.domain.local/FederationMetadata/2007-06/FederationMetadata.xml'
-ConnectionString "Data Source= YOURSQLSERVER;Integrated Security =
True"

Tenant Portal:

Set-MgmtSvcFqdn -Namespace "TenantSite"
-FullyQualifiedDomainName "Azure.domain.local" -Port 443 -Server
" YOURSQLSERVER "

Set-MgmtSvcFqdn -Namespace "AuthSite"
-FullyQualifiedDomainName "Azure.domain.local" -Port 444 -Server
" YOURSQLSERVER "

Note: You may have errors running the next command which will more than likely be permission related, as a work around set the site to Anonymous Access temporary and remember to set it back afterwards.

Set-MgmtSvcIdentityProviderSettings –Target Membership
–MetadataEndpoint 'https://Azure.domain.local /FederationMetadata/2007-06/FederationMetadata.xml'
-ConnectionString "Data Source= YOURSQLSERVER;Integrated Security =
True"

After following the above steps I recommend that you restart IIS to ensure everything is set as expected. Once IIS has been restarted you should be able to test the following website:

https://Azure.domain.local

https://AzureAdmin.domain.local


No comments:

Post a Comment

Blog Archive