VMM 2016 and Network Controller certificate Issue’s

Since near the end of last year I was blessed with some hardware to test al lot of new features and stuff of Windows Server 2016, System Center 2016 and Azure Stack. Last week I experienced an issue with my Network Controller VM’s. In the end it turned out to be more of a VMM issue I think. But I wanted to share this with the world in case somebody else experienced this issue and does google for nothing because there is nothing to find about this issue.

Problem

I did the network controller and SLB Mux setup several weeks ago and all was running fine while all of a sudden I couldn’t change stuff in VMM anymore. Almost every action I did triggered this error:

Error (21426)
Execution of :: on the configuration provider  failed. Detailed exception: Unable to connect to the network service. Check connection string and network connectivity. Execution of Microsoft.SystemCenter.NetworkService::OpenDeviceConnectionEx on the configuration provider 3e2875a7-5831-4fb2-b388-1672e1c20fee failed. Detailed exception: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Check the documentation for the configuration provider or contact the publisher support.
Unable to connect to the network service. Check connection string and network connectivity.

Recommended Action
Check the documentation for the configuration provider or contact the publisher support.

Troubleshooting

So I did a bunch of tests and troubleshooting

Read more

Windows Azure Pack Support

Since the announcements and public previews of Microsoft Azure Stack (MAS), everybody including myself  is talking about and testing with MAS. But the reality is that a lot of companies have invested in Windows Azure Pack and were a little surprised that Microsoft announced before this summer that Windows Azure Pack on Windows Server 2012 R2 is supported until July 2017.

azurepacksupport

Several weeks ago Microsoft made another announcement that they are continue to invest and support in Windows Azure Pack (WAP) next to Azure Stack for 11 years! But to use the extended support you need to bring your Azure Pack environment to Windows Server 2016. MAS release is aimed for the summer of 2017 so very likely there will be a gab between end of support of WAP on Server 2012 R2 and any public available MAS appliances from HP, Dell or Lenovo…

From several customers i received questions about the support statement and what needs to be updated. Turns out it’s not that well documented and known. As you can see in the screenshot above, it states Windows Azure Pack (on Windows Server 2012 R2) and Windows Azure Pack (on Windows Server 2016). But as we all know, Windows Azure Pack is a solution based on lots of components from the Windows and the System Center family.

What to upgrade

As i said before Windows Azure Pack leans on a lot of Windows features like a Active Directory domain, IIS and Hyper-V but also on System Center components like VMM and SPF.

Read more

ADFS Federations Service rename with Azure Pack as Relying Party Trust

A week ago I was confronted to an issue with ADFS with Forms Based Authentication(FBA) and Windows Azure Pack.

Problem

The environment was setup several months ago for a Proof of Concept of Windows Azure Pack and only working with ADFS and Windows Authentication because there was no requirement to used FBA and there was also no Web Application Proxy involved. All was working fine but the customer decided to setup FBA and a web application proxy. Unfortunately, the web application proxy was not working and keeps prompting the FBA login page.

After several hours of troubleshooting the issue was drilled down to a problem with the FBA on the ADFS server. But why was Windows Authentication working and FBA not. To exclude possible Windows Azure Pack/relying pary issue’s I started testing with the https://auth-azure.domain.com/adfs/ls/IdpInitiatedSignon.aspx page.

Eventually it turned out that the Federations Service FQDN had changed. From https://auth.domain.com to https://auth-azure.domain.com. The rename was not done correctly and since I had a lot of trouble figuring it out with some colleague’s i decided to write a blog about it.

Solution

So when renaming the ADFS FQDN from https://auth.domain.com to https://auth-azure.domain.com the SPN was forgotten for the ADFS Service account. The SPN was left on http/auth.domain.org and needed to be changed to http/auth-azure.domain.org.

After this was fixed, I still received logon screens on the FBA page and could not login. Next problem, the Token-Signing and Token-Decrypting certificates were incorrect. Since there are lots of blogs discussing how to update the Token Certificates in ADFS I will not discuss this but I renewed the Token-Signing en Token-Decrypting certificates. Restarted the ADFS service

Read more