Administrator Guide
Disabling the tenant AuthSite website
1 On the Console VM, open a Windows PowerShell session as an administrator, and then run the following command: Enter-PSSession
–ComputerName <
Prex
>APT01
2 Do either of the following:
• To stop the authentication site, but not remove the components, run the following command: Get-Website | Where-Object
{$_.Name -eq "MgmtSvc-AuthSite"} | Stop-Website –Verbose
• To completely remove the site components, run the following command: $productCode = (Get-ItemProperty –Path HKLM:
\SOFTWARE\Microsoft\MgmtSvc\AuthSite).ProductCode
if ($productCode){msiexec /x $productCode -qn}
3 Run the following command to close the Windows Firewall port for the site. By default, this is port 30071. To determine the port, type
Get-Website. The port is listed under Bindings.Disable-NetFirewallRule –DisplayName "MgmtSvc-AuthSite (HTTPS-In)"
NOTE: This step fails if you have completely removed all components using the second option in the previous step.
4 Type exit to exit the remote session.
Disabling the admin WindowsAuthSite website
1 Open a Windows PowerShell session as an administrator, and then run the following command: Enter-PSSession –ComputerName<
Prex>APA01
2 Do either of the following:
• To stop the authentication site, but not remove the components, run the following command: Get-Website | Where-Object
{$_.Name –eq "MgmtSvc-WindowsAuthSite"} | Stop-Website –Verbose
• To completely remove the site components, run the following command: $productCode = (Get-ItemProperty –Path HKLM:
\SOFTWARE\Microsoft\MgmtSvc\WindowsAuthSite).ProductCode
if ($productCode){msiexec /x $productCode -qn}
3 Run the following command to close the Windows Firewall port for the site. By default, this is port 30072. To determine the port, type
Get-Website. The port is listed under Bindings. Disable-NetFirewallRule –DisplayName "MgmtSvc-WindowsAuthSite (HTTPS-In)"
NOTE
: This step fails if you have completely removed all components using the second option in the previous step.
4 Type exit to exit the remote session.
Updating to a Security Token Service and re-establishing trust
You must update both tenant and admin authentication to use a security token service such as AD FS or an external third-party identity
system that supports WS-Federation and JWT tokens.
To set up trust with an external third-party identity system that supports WS-Federation and JWT tokens, you can use the federation
metadata le exposed by the Identity Provider.
The following procedures show how to update both tenant and admin authentication to use AD FS as the identity system.
1 Set up trust between the AD FS instance and the Windows Azure Pack management portal for administrators.
For information about how to set up an AD FS instance through the user interface, and how to set up trust between the AD FS
instance and the Windows Azure Pack management portal for administrators, see the following blog posts:
• Federated Identities to Windows Azure Pack through AD FS – Part 1 of 3
• Federated Identities to Windows Azure Pack through AD FS – Part 2 of 3
For additional information, see Congure Active Directory Federation Services for Windows Azure Pack and AD FS 2.0 Cmdlets in
Windows PowerShell in the TechNet Library.
2 Congure the tenant authentication site to trust AD FS.
Connect to the tenant portal VM (<
Prex
>-APT01), open a Windows PowerShell session, and run the following script.
Administration
39