Setting up a Service Fabric Cluster secured by ... - Microsoft



Setting up a Service Fabric Cluster secured by Azure AD?I took some of the information for the steps below from this article . The article focuses on using an ARM template to do the deployment and secure setup (or at least part of it). Below is a simplified version, not using ARM, but instead using PowerShell and manual setup in the portal.?Open PowerShell ISE as an Administrator.In the PowerShell command window, log in to your Azure subscription using 'Login-AzureRMAccount'. When you do this, in the command window you will see the subscriptionID. You need to copy the subscriptionID, because you will need that in the next PowerShell script. Also copy the tenantID value.Open the PS script CreateVaultCerts.ps1. You will need to fill in all the variables with your own information.Execute the PS script by selecting F5. When the script has completed, you will see the following similar output in the PS command prompt window. Record/copy/paste this information.?Resource Id: /subscriptions/<your-subscriptionID>/resourceGroups/<your-resource-group>/providers/Microsoft.KeyVault/vaults/<your-vault-name>Secret URL : : <certificate-thumbprint>?To secure the cluster with Azure AD, you will need to decide which AD directory in your subscription you will be using. In this example, we will use the 'default' directory. When you followed Step 2 above, the output will also show the 'tenantID'. This is the ID associated with your default Active directory. NOTE: If you have more than one directory (or tenant) in your subscription, you are going to have to make sure you get the right tenantID.?Once you have the correct tenantID, in the PowerShell command prompt window, change the directory to the directory where the SetupApplications.ps1 file is located.?Execute the following command from the PS command prompt window:?.\SetupApplications.ps1 -TenantId '<your-tenantID>' -ClusterName '<your-cluster-name>.<region>.cloudapp.' -WebApplicationReplyUrl ''?The ClusterName is used to prefix the AAD applications created by the script. It does not need to match the actual cluster name exactly as it is only intended to make it easier for you to map AAD artifacts to the Service Fabric cluster that they're being used with. This can be a bit confusing because you haven't created your cluster yet. But, if you know what name you plan to give your cluster, you can use it here.The WebApplicationReplyUrl is the default endpoint that AAD returns to your users after completing the sign-in process. You should set this to the Service Fabric Explorer endpoint for your cluster, which by default is: a full list of AAD helper scripts, you can find more of these at the information at the bottom of the command prompt window. You will need this information when you deploy your cluster from the portal. The information will look similar to what you see below.?"azureActiveDirectory": { "tenantId":"f78750fd-0d82-4c5d-a48a-3da00072afdf", "clusterApplication":"1d0dda7e-268e-490a-89c8-2894e4b8686a", "clientApplication":"ec8d8bb4-7825-4e1e-a586-f0ff8d9e679e"?NOTE: You may receive a Warning that you have a missing assembly. You can ignore this warning.?After you run the script in step 6, log in to the classic Azure portal at your Azure Active Directory in the list and click on it.Add 2 new users to your directory. Name them whatever you want just as long as you know which one is Admin and which one would be the read-only user. Make sure to copy down the password that initially generated, because the first time you try to log in to the portal.Click on the Applications menu. In the Show drop-down box, pick Applications My Company Owns and then click on the check button over to the right to do a search.?You should see two applications listed. One will be for Native client applications and the other for Web Applications. Click on the application name for the web application type.??Click on the Users menu.Click on the user name that should be the administrator and then select the Assign button at the bottom of the portal Window.In the Assign Users dialog box, pick Admin from the dropdown box and select the check button.???Repeat 13 and 14 but this time, for the read-only user select ReadOnly from the Assign Users drop-down. This step completes what you will need to do in the classic portal, so you can close the classic portal window.You now have all the information you need to create your cluster in the portal. When you get to the blade that asks the security information, enter the collection of information you have gather above for both the cluster certificate and the AAD information. You will need to click on the checkbox for Configure Advanced Settings to see the AAD entry fields.Once the cluster has completed creation, you can test your admin and read-only logins by closing all browsers, opening up a new browser window and logging in to your connection to the Cluster from PowerShellThese commands will help you test the connectivity from your machines PowerShell environment out to your cluster in Azure. This only proves that you can connect using your cluster certificate though and it does not involve Azure AD in any way.$ClusterName= "<your-full-cluster-name>:19000"$CertThumbprint= "<your-certificate-thumbprint>" Connect-serviceFabricCluster -ConnectionEndpoint $ClusterName -KeepAliveIntervalInSec 10 `??? -X509Credential `??? -ServerCertThumbprint $CertThumbprint? `??? -FindType FindByThumbprint `??? -FindValue $CertThumbprint `??? -StoreLocation CurrentUser `??? -StoreName MyPublishing your Service Fabric application from Visual StudioIn Visual Studio, whenever you publish an application to the cluster, you will be prompted to log in to Azure with your Azure subscription credentials.If these credentials, or rather this user is not also assigned the Admin role in AAD for the web client app, then Visual Studio will not be able to connect to the cluster and therefore can’t do a publish.So, add that subscription user as an Admin for the Web Client app in AAD.Your Visual Studio Publish dialog should look something like: ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download