By default, Windows Azure Pack for Windows Server uses the following authentication.
Service |
Default authentication |
Management portal for administrators |
Windows authentication |
Management portal for tenants |
ASP.Net membership provider |
Instead of using these default authentication types, you also have the option to configure Windows Azure Pack to use Windows Azure Active Directory Federation Services (AD FS) for authentication as described in the following steps.
Note |
The following information assumes that you do not already have AD FS configured in your environment. If you have AD FS configured, you can skip the first step and proceed directly to Configure AD FS to trust the management portals.
2. Configure the management portals to trust AD FS
3. Configure the tenant authentication site to trust AD FS
4. Configure AD FS to trust the management portals
Review the following best practices before you configure AD FS.
· The format of user groups that are provided by the AD FS installation should match the format that is entered in the UI. The prescribed format for adding AD groups as co-administrators is domain\alias.
· The subscription owner should be an individual user and not a group.
· It is generally a good practice to use an email address as the unique identifier. Custom Claims generators allow a GUID or other unique identifiers but their use complicates adding co-administrators or adding individual users and should generally be avoided.
· By default, AD FS sets a cookie on the client end to track the user’s selection for authentication methods. You can disable this action by running the following AD FS Windows PowerShell cmdlet:
Set-ADFSWebConfig –HRDCookieEnabled $false