~ Mark Stanfill
Windows Azure Pack for Windows Server (WAP) integrates with System Center 2012 Virtual Machine Manager (VMM 2012) by using Service Provider Foundation (SPF) as a middle layer to translate PowerShell cmdlets to RESTAPI\ODdata calls and vice versa. This guide details a checklist of configuration settings that need to be in place to successfully integrate WAP, SPF, and VMM.
In the example screenshots below, CONTOSO\SpfSvcAcct is the domain service account, and spflocal is the local user account for SPF.
Enable SPF VMM IIS Application Pool Identity Running as Domain Service Account
Open Internet Services Manager (InetMgr) and navigate to <SERVERNAME>\Application Pools. Filter on VMM and verify that the identity is a domain account that has Logon As a Service rights.
To change this setting, right-click on the VMM application pool and choose Advanced Settings… Click on Identity, and choose Custom Account. Enter the name in <DOMAIN>\<SERVERNAME> format and enter the password. Run IISReset to have the changes take effect.
SPF Application Pool identity needs admin access to VMM and admin access on the SPF SQL DB
SPF uses the DefaultAppPool application pool by default. Verify that this application pool is a member of the VMM Administrator role and that also that it has access to the SPF SQL server instance (SCSPFDB by default).
Configure SPF IIS with Basic Authentication
Open Internet Services Manager and navigate to <SERVERNAME>\Sites\SPF. Double-click on Authentication and verify that Basic Authentication is Enabled.
Create Local User on SPF Server, add to SPF Local Groups (VMM, Admin, Provider, Usage)
On the SPF server, create a local user in Local Users and Groups (lusrmgr.msc) and add it to the SPF_Admin, SPF_Provider, SPF_Usage, and SPF_VMM groups.
Use the Local User to register with the Service Management Portal and API (not a domain user)
Use the local account created above to register SPF with WAP. Navigate to https://localhost:30091/#Workspaces/SystemCenterAdminExtension/quickStart and configure (or re-configure) your SPF account settings to use the local account. Enter only the user name; do not include the computer name.
No need to create any tenants from the SPF PowerShell cmdlets, this is handled automatically when users sign up for a subscription
There is no need to manually configure tenants in SPF. Allow WAP to handle tenant account management.
Login to the SPF server with the domain service account once
This allows the user’s profile to be created and prevents possible timeout events.
Access the Admin and Tenant Portals Remotely
Depending on your domain and local IIS configuration, several factors can inhibit your ability to authenticate locally to the same server (i.e. if you are logged on to a WAP Express install computer or the Admin Portal machine directly and launching Internet Explorer on that same machine). Kernel-mode authentication (see http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx for more details) in particular may prohibit the authentication servers from correctly rendering requests. Rather than modifying WAP IIS settings, simply accessing the web page remotely from a workstation is recommended.
Verify that your user account is a member of the local MgmtSvc Operators group
Load Local Users and Groups (lusrmgr.msc) and verify that the account you are using to access the WAP site is a member of the local machine’s MgmtSvc Operators group.
Mark Stanfill | Senior Support Escalation Engineer | Management and Security Division
System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/