Configure Active Directory Federation Services for Windows Azure Pack

 

Applies To: Windows Azure Pack

By default, Windows Azure Pack for Windows Server uses the following authentication.

Service

Default authentication

Management portal for administrators

Windows authentication

Management portal for tenants

ASP.Net membership provider

Instead of using these default authentication types, you also have the option to configure Windows Azure Pack to use Windows Azure Active Directory Federation Services (AD FS) for authentication as described in the following steps. This option is requires Windows Server 2012 R2.

If you want to switch back to the default authentication, see Switch back to the default Windows Azure Pack authentication sites

Note

The following information assumes that you do not already have AD FS configured in your environment. If you have AD FS configured, you can skip the first step and proceed directly to Configure AD FS to trust the management portals.

  1. Configure AD FS

  2. Configure the management portals to trust AD FS

  3. Configure the tenant authentication site to trust AD FS

  4. Configure AD FS to trust the management portals

Best practices

Review the following best practices before you configure AD FS.

  • The format of user groups that are provided by the AD FS installation should match the format that is entered in the UI. The prescribed format for adding AD groups as co-administrators is domain\alias.

  • The subscription owner should be an individual user and not a group.

  • It is generally a good practice to use an email address as the unique identifier. Custom Claims generators allow a GUID or other unique identifiers but their use complicates adding co-administrators or adding individual users and should generally be avoided.

  • By default, AD FS sets a cookie on the client end to track the user’s selection for authentication methods. You can disable this action by running the following AD FS Windows PowerShell cmdlet:

    Set-ADFSWebConfig –HRDCookieEnabled $false
    

For more information about the deployment and maintenance of an AD FS farm, visit the Active Directory Federation Services Overview.