Question

Roelf Zomerman on Thu, 03 Aug 2017 18:39:48


Hi all, 

I have deployed my Azure Stack (finally).. but am again stuck on some scripts.. specifically the https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-app-service-deploy  (Configure an Azure AD service principal for virtual machine scale set integration on Worker tiers and SSO for the Azure Functions portal and advanced developer tools)

Scripts used: CreateIdentityApp.ps1

now the script asks for a lot more input then in the guide and you can basically run it with: 

PS C:\AppInstall> .\Create-IdentityApp.ps1 -DirectoryTenantName 'ADFS' -CertificateFilePath 'c:\app
install\sso.appservice.local.azurestack.external.pfx' -TenantArmEndpoint 'management.local.azuresta
ck.external' -DomainName 'local.azurestack.external' -AdfsMachineName 'azs-adfs01.azurestack.local'

The script/manual does not state that in ADFS mode, your tenant name is actually 'ADFS'.. (which I found out when I opened the script). also.. if you are not logged in already, the script throws an error and you are stuck again.. so.. to overcome that.. I've replaced some parts of the script so instead of throwing an error.. it now neatly asks for username/password from the ADFS login page..and logs you into the stack through PShell.

#line 62

      Add-AzureRMEnvironment `
         -Name "AzureStackAdmin" `
         -ArmEndpoint "https://adminmanagement.local.azurestack.external"
        write-echo "please provide local Azure Stack Credentials (ADFS: AzureStack\AzureStackAdmin  |    AAD: <admin>@<domain>.onmicrosoft.com)"
         Login-AzureRmAccount -EnvironmentName "AzureStackAdmin"
        #will ask for login names (locally)

    #throw "Use Login-AzureRmAccount to log in AzureStack"

That at least kickstarts the script.. but ultimately it fails again.. and it fails as it tries to add the service principal as a contributor to the system.. 

The Get-AzureRMRoleAssignment ONLY works against AAD instances.. and thus.. the script fails and stops working..  

In AD I do see the new service principal created (AzureStackAdmin-AppGroup) .. but adding it to the ADFS based Stack instance.. is eeuh.. well a challenge..  I tried using the portal (I was hoping to just pause the script, add it manually and resume), but as it is a service principal it does not show up in the Add Permissions blade in the portal.. Is this just a matter of moving the account from Service Principals OU to the Users OU?

Tips welcome....


Sponsored



Replies

Gary Gallanes [MSFT] on Thu, 03 Aug 2017 23:56:36


Hello Roelf,

I’ve forwarded your post to our internal engineering to teams investigate.

We’ll reply with an action plan or next steps ASAP.

 

We apologize for any inconvenience and appreciate your time and interest in Azure Stack.

If you continue experience any issues with ASDK release, feel free to contact us.

  

PowerShell giving you the Blues? Try my Azure Stack PowerShell Helper scripts

ASDK: Install/Import Azure Stack Modules 1.2.10 & AzureStack-Tools

ASDK: Config PowerShell & set AdminStackAdmin/User ARM Endpoints

  

 Thanks,


Gary Gallanes


Gary Gallanes [MSFT] on Fri, 04 Aug 2017 18:04:04


Hello,

Can you validate the GraphEndpointResourceId  is setup in your you Admin & User environments? 

 

To validate, run the following command from an elevated PowerShell session.

  

Set-AzureRmEnvironment-Name "AzureStackAdmin"

Set-AzureRmEnvironment-Name "AzureStackUser"

 

 What value is set for the GraphEndpointResourceId?

 

If it is not set, please run the following PowerShell to set the GraphEndpointResourceId in each of your environments:

 

Set-AzureRmEnvironment-Name "AzureStackAdmin" -GraphAudience "https://graph.local.azurestack.external/" -EnableAdfsAuthentication:$true

  

Set-AzureRmEnvironment-Name "AzureStackUser" -GraphAudience "https://graph.local.azurestack.external/" -EnableAdfsAuthentication:$true

    

The output returned will shed some light on what’s going on with this.

Let us know how it goes.

  

We apologize for any inconvenience and appreciate your time and interest in Azure Stack.  If you continue experience any issues with ASDK release, feel free to contact us.

  

PowerShell giving you the Blues? Try my Azure Stack PowerShell Helper scripts

ASDK: Install/Import Azure Stack Modules 1.2.10 & AzureStack-Tools

ASDK: Config PowerShell & set AdminStackAdmin/User ARM Endpoints

  

 Thanks,