![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 95%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Azure Service Fabric
An Azure service that is used to develop microservices and orchestrate containers on Windows and Linux.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 21%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Hi Marbry,
Thank you for the clear description of your standalone Service Fabric cluster configuration question. This is a common point of confusion when mixing Windows credential type with HTTPS requirements for Service Fabric Explorer and the management API.
- WindowsIdentities (under the security section) controls authentication and authorization — it defines which domain accounts or gMSA identities can connect to the cluster and which have admin rights.
- The TLS/HTTPS layer for the management endpoint (port 19080) and Service Fabric Explorer is handled separately by the server certificate.
- You do not need to use only HTTP. HTTPS is fully supported (and recommended for production) even when ClusterCredentialType is set to Windows.
- The CertificateInformation section is used only when a credential type is X509. When using Windows security you configure the HTTPS certificate differently — specifically by setting ServerCredentialType to X509 and placing the server certificate details in the appropriate location in ClusterConfig.JSON. This keeps the two concerns cleanly separated.
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-windows-cluster-x509-security
Steps to work on
- Open your ClusterConfig.JSON file (the one you use with CreateServiceFabricCluster.ps1 or TestConfiguration.ps1).
- In the top-level security section, configure it like this (mixed credential types are fully supported):
"security": { "ClusterCredentialType": "Windows", "ServerCredentialType": "X509", "WindowsIdentities": { "ClusterIdentity": "domain\\machinegroup", // or use ClustergMSAIdentity + ClusterSPN "ClientIdentities": [ { "Identity": "domain\\username", "IsAdmin": true } ] }, "CertificateInformation": { "ServerCertificate": { "Thumbprint": "your-server-cert-thumbprint-here", "X509StoreName": "My", "X509StoreLocation": "LocalMachine" } } } - Make sure the server certificate (with the private key) is installed in the Local Computer \ Personal store on every node in the cluster, and that the NETWORK SERVICE account has read access to the private key.
- Validate and deploy/upgrade the configuration:
.\TestConfiguration.ps1 -ClusterConfigFilePath .\ClusterConfig.JSON .\CreateServiceFabricCluster.ps1 -ClusterConfigFilePath .\ClusterConfig.JSON -AcceptEULA - After the cluster is up, access Service Fabric Explorer using HTTPS on port 19080. The connection will be TLS-secured by the server certificate you just configured, while authentication and admin rights continue to be enforced via your Windows identities.
This approach gives you the best of both worlds: Windows-based authentication (no client certificates required) + proper TLS encryption for all management traffic and Explorer.
If you run into any validation errors during TestConfiguration or deployment, feel free to reply here with the exact error.
Thanks,
Manish.
